6436cc9f798618dcce8d46276d2bf95cfe2f3ec72d12cad218c6e7faa691d121

General

Target

46679_10774_USD·pdf.exe
Size

738KB
MD5

85eeda19da6f588695a43e0be0cab817
SHA1

006f2135a8cd9962c7f351592f0a632167690787
SHA256

97fadafd1711faa312709206b3363fc2a56b63ef31ef1319902efe672e30396e
SHA512

1bfe7c96814e90c1b6879bce16e98b0f96989d4257179f8c5c95b326ffdeecd7dfbd6d87209cd7832bb97dbb90d94ea6b897bcef84b12870ec122626737caa15
SSDEEP

12288:3JHNGwC7XzWWpH9WBjH+5ZdyQ43z9hxJU2B:1Qi0gk2B

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

46679_10774_USD·pdf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 46679_10774_USD·pdf.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

46679_10774_USD·pdf.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 46679_10774_USD·pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	46679_10774_USD·pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	46679_10774_USD·pdf.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

46679_10774_USD·pdf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	46679_10774_USD·pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	46679_10774_USD·pdf.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

46679_10774_USD·pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	46679_10774_USD·pdf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	46679_10774_USD·pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

46679_10774_USD·pdf.exepowershell.exe

pid	process
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
1444	46679_10774_USD·pdf.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

46679_10774_USD·pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1444 46679_10774_USD·pdf.exe
Token: SeDebugPrivilege 2008 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1444	46679_10774_USD·pdf.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

46679_10774_USD·pdf.exe

description	pid	process	target process
PID 1444 wrote to memory of 2008	1444	46679_10774_USD·pdf.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	46679_10774_USD·pdf.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	46679_10774_USD·pdf.exe	powershell.exe
PID 1444 wrote to memory of 2008	1444	46679_10774_USD·pdf.exe	powershell.exe
PID 1444 wrote to memory of 1756	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1756	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1756	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1756	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 556	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 556	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 556	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 556	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1196	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1196	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1196	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1196	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 292	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 292	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 292	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 292	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1516	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1516	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1516	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe
PID 1444 wrote to memory of 1516	1444	46679_10774_USD·pdf.exe	46679_10774_USD·pdf.exe

C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  PID:556
- C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  PID:292
- C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\46679_10774_USD·pdf.exe"
  2⤵
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-54-0x0000000000350000-0x000000000040E000-memory.dmp

Filesize
760KB

Download
memory/1444-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1444-56-0x0000000000330000-0x0000000000348000-memory.dmp

Filesize
96KB

Download
memory/1444-57-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1444-58-0x0000000005160000-0x00000000051D0000-memory.dmp

Filesize
448KB

Download
memory/1444-61-0x0000000002130000-0x0000000002166000-memory.dmp

Filesize
216KB

Download
memory/2008-59-0x0000000000000000-mapping.dmp

Download
memory/2008-62-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-63-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads