cc0caa36bb40f1d15b6f338539239dc0fb978d38620e5f8d21b86a45e682e6e6

Analysis

max time kernel
56s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC00163936-pdf.exe
Size

1.4MB
MD5

d09bba5762384cc89632817f05a6e930
SHA1

c3cba9fb29262d1ea796c9c90e23b73db5077b32
SHA256

cc0caa36bb40f1d15b6f338539239dc0fb978d38620e5f8d21b86a45e682e6e6
SHA512

7c74adb802167f066d0cf1ff97fa36cbfacc30ca1a5c8d8f4116725011b260506dc6f1767a5ea1f149c3cf2840c6ac5ec4a438e9a1bfe84c446232e533ad99f1
SSDEEP

12288:/56S8U9J7BmsH6UstLIAYB9oiCRFx3HTQrZYeafOfXL2iTmwA4cX3MzSSV93QMOK:NoS6rtLlYlCbJ8RGOfJ04JSSDYs

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1656	DOC00163936-pdf.exe
1480	powershell.exe
268	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	DOC00163936-pdf.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1480	1656	DOC00163936-pdf.exe	28
PID 1656 wrote to memory of 1480	1656	DOC00163936-pdf.exe	28
PID 1656 wrote to memory of 1480	1656	DOC00163936-pdf.exe	28
PID 1656 wrote to memory of 1480	1656	DOC00163936-pdf.exe	28
PID 1656 wrote to memory of 268	1656	DOC00163936-pdf.exe	30
PID 1656 wrote to memory of 268	1656	DOC00163936-pdf.exe	30
PID 1656 wrote to memory of 268	1656	DOC00163936-pdf.exe	30
PID 1656 wrote to memory of 268	1656	DOC00163936-pdf.exe	30
PID 1656 wrote to memory of 1152	1656	DOC00163936-pdf.exe	32
PID 1656 wrote to memory of 1152	1656	DOC00163936-pdf.exe	32
PID 1656 wrote to memory of 1152	1656	DOC00163936-pdf.exe	32
PID 1656 wrote to memory of 1152	1656	DOC00163936-pdf.exe	32
PID 1656 wrote to memory of 1348	1656	DOC00163936-pdf.exe	34
PID 1656 wrote to memory of 1348	1656	DOC00163936-pdf.exe	34
PID 1656 wrote to memory of 1348	1656	DOC00163936-pdf.exe	34
PID 1656 wrote to memory of 1348	1656	DOC00163936-pdf.exe	34
PID 1656 wrote to memory of 864	1656	DOC00163936-pdf.exe	35
PID 1656 wrote to memory of 864	1656	DOC00163936-pdf.exe	35
PID 1656 wrote to memory of 864	1656	DOC00163936-pdf.exe	35
PID 1656 wrote to memory of 864	1656	DOC00163936-pdf.exe	35
PID 1656 wrote to memory of 1812	1656	DOC00163936-pdf.exe	36
PID 1656 wrote to memory of 1812	1656	DOC00163936-pdf.exe	36
PID 1656 wrote to memory of 1812	1656	DOC00163936-pdf.exe	36
PID 1656 wrote to memory of 1812	1656	DOC00163936-pdf.exe	36
PID 1656 wrote to memory of 1016	1656	DOC00163936-pdf.exe	37
PID 1656 wrote to memory of 1016	1656	DOC00163936-pdf.exe	37
PID 1656 wrote to memory of 1016	1656	DOC00163936-pdf.exe	37
PID 1656 wrote to memory of 1016	1656	DOC00163936-pdf.exe	37
PID 1656 wrote to memory of 292	1656	DOC00163936-pdf.exe	38
PID 1656 wrote to memory of 292	1656	DOC00163936-pdf.exe	38
PID 1656 wrote to memory of 292	1656	DOC00163936-pdf.exe	38
PID 1656 wrote to memory of 292	1656	DOC00163936-pdf.exe	38

C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QxzUfmxdkbta.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxzUfmxdkbta" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF29.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  PID:864
- C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DOC00163936-pdf.exe"
  2⤵
  PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDF29.tmp

Filesize
1KB

MD5
25442308d3c406d7b5f6104a5d2145c4

SHA1
ab61b8e83f000c6b311c44d484e7af0d069f4f73

SHA256
e1c081db4183648b22026115f51515b604c9907cff27451a5d6d90e6910b060c

SHA512
2989aa1943987a9ad864e8090019ec87b02550405ec7d5b9201443a51f6f176b8f3c300935deacf1fddacf9805dfc60db453c8ca033d437f0f8f087226028e0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e0441fff0af2985b5d64d036a199bf8f

SHA1
f9696c701378e5f72021841702d049d5c263dc07

SHA256
4f93b88544bf407ba88082f908797c24e5a0a4e4a4c9ddd75f7181acd9cbb9fa

SHA512
dccd6d5e0eee49142a3b094d540efb1af265f68d206f2ccf3b131ad92e786445756b0d37b1350c23d039a6d22f35c02e2cfc0dfce091b508806b0e4a47bed9b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e0441fff0af2985b5d64d036a199bf8f

SHA1
f9696c701378e5f72021841702d049d5c263dc07

SHA256
4f93b88544bf407ba88082f908797c24e5a0a4e4a4c9ddd75f7181acd9cbb9fa

SHA512
dccd6d5e0eee49142a3b094d540efb1af265f68d206f2ccf3b131ad92e786445756b0d37b1350c23d039a6d22f35c02e2cfc0dfce091b508806b0e4a47bed9b2

Download Submit
memory/268-74-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/1656-54-0x0000000000350000-0x00000000004BA000-memory.dmp

Filesize
1.4MB

Download
memory/1656-55-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1656-56-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/1656-57-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1656-58-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1656-59-0x0000000005410000-0x00000000054B0000-memory.dmp

Filesize
640KB

Download
memory/1656-72-0x0000000002170000-0x0000000002176000-memory.dmp

Filesize
24KB

Download
memory/1656-73-0x0000000004D60000-0x0000000004D8A000-memory.dmp

Filesize
168KB

Download