b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7

Analysis

max time kernel
241s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment copy.pdf.exe
Size

738KB
MD5

27d631027838d94262fe33e8b76b0543
SHA1

3fd40787525906c92cf9d485299e4d06b6043407
SHA256

b7394e25936c4fd44716fcdcce914a35c0cdb0980e4527035681df4f800520e7
SHA512

07b34c65df7e9f80cbe84c11c290cd64dca7ee2394ec47c9ef39dad3640ffc47e73895c769b2160d912013d79250379dde2fc363dc2cfcc64374539f08573c5a
SSDEEP

12288:awlxmomPZefGPtqvyuzj8DNaHHAq17pKbZaws+iKvaSUih4qxs4jnTS+Co3ry/J:GomxiGQFviaub0wnieNfm46+RuJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1560 schtasks.exe

pid	process
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

payment copy.pdf.exepowershell.exe

pid	process
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe
1508	powershell.exe
520	payment copy.pdf.exe
520	payment copy.pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment copy.pdf.exepowershell.exe

description pid process

Token: SeDebugPrivilege 520 payment copy.pdf.exe
Token: SeDebugPrivilege 1508 powershell.exe

description	pid	process
Token: SeDebugPrivilege	520	payment copy.pdf.exe
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

payment copy.pdf.exe

description	pid	process	target process
PID 520 wrote to memory of 1508	520	payment copy.pdf.exe	powershell.exe
PID 520 wrote to memory of 1508	520	payment copy.pdf.exe	powershell.exe
PID 520 wrote to memory of 1508	520	payment copy.pdf.exe	powershell.exe
PID 520 wrote to memory of 1508	520	payment copy.pdf.exe	powershell.exe
PID 520 wrote to memory of 1560	520	payment copy.pdf.exe	schtasks.exe
PID 520 wrote to memory of 1560	520	payment copy.pdf.exe	schtasks.exe
PID 520 wrote to memory of 1560	520	payment copy.pdf.exe	schtasks.exe
PID 520 wrote to memory of 1560	520	payment copy.pdf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\payment copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment copy.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xlZIAWSuNdLq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xlZIAWSuNdLq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD74D.tmp"
2⤵
- Creates scheduled task(s)
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD74D.tmp
Filesize
1KB

MD5
9593ef6c2651585397fce02bf3828b25

SHA1
645dd6320ffd4e3eb5c22c08ece9f3c34004d160

SHA256
51420654caf3eba99c0107d8776bd996d5a7502838fdb79cbeaa2b09c519023d

SHA512
36019cf6c9c3f49cd236279a00bf360aab2fecf368232f92abf81d2c80249ec51399e3e12cc46ba4f1239d78f35da45c3c65e02e922573be63ce50a5cf80d8f0

Download Submit
memory/520-54-0x0000000000F00000-0x0000000000FBE000-memory.dmp

Filesize
760KB

Download
memory/520-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/520-56-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/520-57-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/520-58-0x0000000005ED0000-0x0000000005F4C000-memory.dmp

Filesize
496KB

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1508-63-0x000000006E2E0000-0x000000006E88B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-64-0x000000006E2E0000-0x000000006E88B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads