Analysis
-
max time kernel
241s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 08:58
Static task
static1
Behavioral task
behavioral1
Sample
payment copy.pdf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
payment copy.pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
payment copy.pdf.exe
-
Size
738KB
-
MD5
27d631027838d94262fe33e8b76b0543
-
SHA1
3fd40787525906c92cf9d485299e4d06b6043407
-
SHA256
b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
-
SHA512
07b34c65df7e9f80cbe84c11c290cd64dca7ee2394ec47c9ef39dad3640ffc47e73895c769b2160d912013d79250379dde2fc363dc2cfcc64374539f08573c5a
-
SSDEEP
12288:awlxmomPZefGPtqvyuzj8DNaHHAq17pKbZaws+iKvaSUih4qxs4jnTS+Co3ry/J:GomxiGQFviaub0wnieNfm46+RuJ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
payment copy.pdf.exepowershell.exepid process 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe 1508 powershell.exe 520 payment copy.pdf.exe 520 payment copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment copy.pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 520 payment copy.pdf.exe Token: SeDebugPrivilege 1508 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment copy.pdf.exedescription pid process target process PID 520 wrote to memory of 1508 520 payment copy.pdf.exe powershell.exe PID 520 wrote to memory of 1508 520 payment copy.pdf.exe powershell.exe PID 520 wrote to memory of 1508 520 payment copy.pdf.exe powershell.exe PID 520 wrote to memory of 1508 520 payment copy.pdf.exe powershell.exe PID 520 wrote to memory of 1560 520 payment copy.pdf.exe schtasks.exe PID 520 wrote to memory of 1560 520 payment copy.pdf.exe schtasks.exe PID 520 wrote to memory of 1560 520 payment copy.pdf.exe schtasks.exe PID 520 wrote to memory of 1560 520 payment copy.pdf.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xlZIAWSuNdLq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xlZIAWSuNdLq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD74D.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD74D.tmpFilesize
1KB
MD59593ef6c2651585397fce02bf3828b25
SHA1645dd6320ffd4e3eb5c22c08ece9f3c34004d160
SHA25651420654caf3eba99c0107d8776bd996d5a7502838fdb79cbeaa2b09c519023d
SHA51236019cf6c9c3f49cd236279a00bf360aab2fecf368232f92abf81d2c80249ec51399e3e12cc46ba4f1239d78f35da45c3c65e02e922573be63ce50a5cf80d8f0
-
memory/520-54-0x0000000000F00000-0x0000000000FBE000-memory.dmpFilesize
760KB
-
memory/520-55-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/520-56-0x00000000003E0000-0x00000000003FA000-memory.dmpFilesize
104KB
-
memory/520-57-0x0000000000300000-0x000000000030E000-memory.dmpFilesize
56KB
-
memory/520-58-0x0000000005ED0000-0x0000000005F4C000-memory.dmpFilesize
496KB
-
memory/1508-59-0x0000000000000000-mapping.dmp
-
memory/1508-63-0x000000006E2E0000-0x000000006E88B000-memory.dmpFilesize
5.7MB
-
memory/1508-64-0x000000006E2E0000-0x000000006E88B000-memory.dmpFilesize
5.7MB
-
memory/1560-60-0x0000000000000000-mapping.dmp