Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
MT1893878746.PDF.IMG.exe
Resource
win7-20220901-en
General
-
Target
MT1893878746.PDF.IMG.exe
-
Size
1.2MB
-
MD5
b7babb9f64a9ecd894d100ce02f132fe
-
SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a
-
SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
-
SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
SSDEEP
12288:4v+bQYpRi8N69+d0qKu3rXbSIVfqNZSM1fpJwNDxGVwef3G1oMfqzpcfu2E:bpRbi+d0qPVGZTFfLweO1oMSzpKE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mt1893878746.pdf.img.exemt1893878746.pdf.img.exepid process 3124 mt1893878746.pdf.img.exe 2680 mt1893878746.pdf.img.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MT1893878746.PDF.IMG.exeMT1893878746.PDF.IMG.exemt1893878746.pdf.img.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation MT1893878746.PDF.IMG.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation MT1893878746.PDF.IMG.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mt1893878746.pdf.img.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
MT1893878746.PDF.IMG.exemt1893878746.pdf.img.exedescription pid process target process PID 5056 set thread context of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 3124 set thread context of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1592 schtasks.exe 3544 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
MT1893878746.PDF.IMG.exepowershell.exepowershell.exepid process 5056 MT1893878746.PDF.IMG.exe 5056 MT1893878746.PDF.IMG.exe 5056 MT1893878746.PDF.IMG.exe 5056 MT1893878746.PDF.IMG.exe 224 powershell.exe 224 powershell.exe 4288 powershell.exe 4288 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mt1893878746.pdf.img.exepid process 2680 mt1893878746.pdf.img.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
MT1893878746.PDF.IMG.exepowershell.exeMT1893878746.PDF.IMG.exepowershell.exemt1893878746.pdf.img.exedescription pid process Token: SeDebugPrivilege 5056 MT1893878746.PDF.IMG.exe Token: SeDebugPrivilege 224 powershell.exe Token: SeDebugPrivilege 1680 MT1893878746.PDF.IMG.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 2680 mt1893878746.pdf.img.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mt1893878746.pdf.img.exepid process 2680 mt1893878746.pdf.img.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
MT1893878746.PDF.IMG.exeMT1893878746.PDF.IMG.execmd.exemt1893878746.pdf.img.exedescription pid process target process PID 5056 wrote to memory of 224 5056 MT1893878746.PDF.IMG.exe powershell.exe PID 5056 wrote to memory of 224 5056 MT1893878746.PDF.IMG.exe powershell.exe PID 5056 wrote to memory of 224 5056 MT1893878746.PDF.IMG.exe powershell.exe PID 5056 wrote to memory of 1592 5056 MT1893878746.PDF.IMG.exe schtasks.exe PID 5056 wrote to memory of 1592 5056 MT1893878746.PDF.IMG.exe schtasks.exe PID 5056 wrote to memory of 1592 5056 MT1893878746.PDF.IMG.exe schtasks.exe PID 5056 wrote to memory of 3888 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 3888 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 3888 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 2132 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 2132 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 2132 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 5056 wrote to memory of 1680 5056 MT1893878746.PDF.IMG.exe MT1893878746.PDF.IMG.exe PID 1680 wrote to memory of 3124 1680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 1680 wrote to memory of 3124 1680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 1680 wrote to memory of 3124 1680 MT1893878746.PDF.IMG.exe mt1893878746.pdf.img.exe PID 1680 wrote to memory of 4652 1680 MT1893878746.PDF.IMG.exe cmd.exe PID 1680 wrote to memory of 4652 1680 MT1893878746.PDF.IMG.exe cmd.exe PID 1680 wrote to memory of 4652 1680 MT1893878746.PDF.IMG.exe cmd.exe PID 4652 wrote to memory of 3252 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 3252 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 3252 4652 cmd.exe PING.EXE PID 3124 wrote to memory of 4288 3124 mt1893878746.pdf.img.exe powershell.exe PID 3124 wrote to memory of 4288 3124 mt1893878746.pdf.img.exe powershell.exe PID 3124 wrote to memory of 4288 3124 mt1893878746.pdf.img.exe powershell.exe PID 3124 wrote to memory of 3544 3124 mt1893878746.pdf.img.exe schtasks.exe PID 3124 wrote to memory of 3544 3124 mt1893878746.pdf.img.exe schtasks.exe PID 3124 wrote to memory of 3544 3124 mt1893878746.pdf.img.exe schtasks.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe PID 3124 wrote to memory of 2680 3124 mt1893878746.pdf.img.exe mt1893878746.pdf.img.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4343.tmp"2⤵
- Creates scheduled task(s)
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"2⤵PID:3888
-
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"2⤵PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp"4⤵
- Creates scheduled task(s)
PID:3544
-
-
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10004⤵
- Runs ping.exe
PID:3252
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5a1f712bbb24c0c57040457914e05cce9
SHA1ce4141b3ef830c38469889b49372eaba7069cf2c
SHA2565622bc17b65ee10f24f9ec1b00f87f5608c351bfa572af45eede9d59e37629fc
SHA512211085fd2dbe635cc5c8ad788dc1a48b954712732200f1381a2fa0ded499b3fd06f8cb5219fd3501f434222f7ca1077c6a8b9050085f8272444e180ace69c2bc
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1.2MB
MD5b7babb9f64a9ecd894d100ce02f132fe
SHA18fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA5128bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
-
Filesize
1KB
MD5b7c3522e7806bcaeee8cf0d3ad042f6b
SHA10b32a2c9baf33e88048f80574cb60127d53c6ef5
SHA256c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f
SHA5122353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904
-
Filesize
1KB
MD5b7c3522e7806bcaeee8cf0d3ad042f6b
SHA10b32a2c9baf33e88048f80574cb60127d53c6ef5
SHA256c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f
SHA5122353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904