Analysis
-
max time kernel
91s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 07:08
Static task
static1
Behavioral task
behavioral1
Sample
200333852-042536-sanlccjavap0004-4332.pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
200333852-042536-sanlccjavap0004-4332.pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
200333852-042536-sanlccjavap0004-4332.pdf.exe
-
Size
590KB
-
MD5
e1f1c869069a506fbba24fe57af294d1
-
SHA1
402cfe8ce3c76bc658bbdcc503e8b91d841c33b8
-
SHA256
d8933e7d6e91c53200c334528a935434d1b0e2ce2286e9842e75911ea832b8c7
-
SHA512
15e6124c598b5280fa1c69ca2a115aa27420477d5de7b95a0db20abb64bea3a587424da5c54b6d8dbedf7ccdf7a7d26b529e57f5fad34f3bfb4152a23b55bd41
-
SSDEEP
12288:tgL+rDzX8+uSoJF6qmq+biBie2VlBvt4bgjoS9nOu2prh:M2ESofoqCDfnIooS9nL2pt
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
200333852-042536-sanlccjavap0004-4332.pdf.exepid process 3452 200333852-042536-sanlccjavap0004-4332.pdf.exe 3452 200333852-042536-sanlccjavap0004-4332.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
taskmgr.exepid process 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4724 taskmgr.exe Token: SeSystemProfilePrivilege 4724 taskmgr.exe Token: SeCreateGlobalPrivilege 4724 taskmgr.exe Token: 33 4724 taskmgr.exe Token: SeIncBasePriorityPrivilege 4724 taskmgr.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
Processes:
taskmgr.exepid process 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
Processes:
taskmgr.exepid process 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe 4724 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\200333852-042536-sanlccjavap0004-4332.pdf.exe"C:\Users\Admin\AppData\Local\Temp\200333852-042536-sanlccjavap0004-4332.pdf.exe"1⤵
- Loads dropped DLL
PID:3452
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nso9EF6.tmp\System.dllFilesize
11KB
MD50ff2d70cfdc8095ea99ca2dabbec3cd7
SHA110c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
C:\Users\Admin\AppData\Local\Temp\nso9EF6.tmp\System.dllFilesize
11KB
MD50ff2d70cfdc8095ea99ca2dabbec3cd7
SHA110c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
memory/3452-134-0x00000000049C0000-0x000000000639C000-memory.dmpFilesize
25.9MB
-
memory/3452-135-0x00000000049C0000-0x000000000639C000-memory.dmpFilesize
25.9MB