0543d3e6b17798c68a8f2442b5d2bc1a2407dbdabd0c82ba7c8ddcde3488f662

General

Target

updated SOA.pdf.exe
Size

705KB
MD5

72b566a19405295457438c5373f2e91c
SHA1

bc3ea0e5fb136dfc33d7442fd191439501b55303
SHA256

0543d3e6b17798c68a8f2442b5d2bc1a2407dbdabd0c82ba7c8ddcde3488f662
SHA512

9e241b12f6d2b08450966ec9162e0a241d71469a2527d2dcc65e04b47c5772f3136dbb2a1482413bddd0a022f9155e5cef7a1c48aa8fb4d7a620c5f5d23a8c87
SSDEEP

12288:nzveLTgNGSD7QK8oX97/kBPB/SyXEROFIA/DLRPbnf7+mWc1:ze/MMZU9Tu5qydFN9Tf7+Jc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1132 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

updated SOA.pdf.exe

pid process

908 updated SOA.pdf.exe
908 updated SOA.pdf.exe
908 updated SOA.pdf.exe
908 updated SOA.pdf.exe
908 updated SOA.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

updated SOA.pdf.exe

description pid process

Token: SeDebugPrivilege 908 updated SOA.pdf.exe

pid	process
1132	schtasks.exe

pid	process
908	updated SOA.pdf.exe
908	updated SOA.pdf.exe
908	updated SOA.pdf.exe
908	updated SOA.pdf.exe
908	updated SOA.pdf.exe

description	pid	process
Token: SeDebugPrivilege	908	updated SOA.pdf.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

updated SOA.pdf.exe

description	pid	process	target process
PID 908 wrote to memory of 1132	908	updated SOA.pdf.exe	schtasks.exe
PID 908 wrote to memory of 1132	908	updated SOA.pdf.exe	schtasks.exe
PID 908 wrote to memory of 1132	908	updated SOA.pdf.exe	schtasks.exe
PID 908 wrote to memory of 1132	908	updated SOA.pdf.exe	schtasks.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 844	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1872	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 1356	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 676	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe
PID 908 wrote to memory of 568	908	updated SOA.pdf.exe	updated SOA.pdf.exe

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ykcziJshCF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp"
2⤵
- Creates scheduled task(s)
PID:1132

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"{path}"
2⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"{path}"
2⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"{path}"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"{path}"
2⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\updated SOA.pdf.exe
"{path}"
2⤵
PID:568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp
Filesize
1KB

MD5
4cac117935355c4360b42e16adbc6677

SHA1
61e9431b3f08d9138392d835a8c1fbb09c6fe5c0

SHA256
fe5197cd18ad32a6cf656f7153505967711d059ff183258fb47a818961a9fc7d

SHA512
8c8bbb136edd11e9152be64034a366358acf253ee0f054b9a5875b13241fa72eb3b80529159711f7ab871bf7cb24da34b938c61a79b5fd9fb563a8c9c949da71

Download Submit
memory/908-54-0x00000000003C0000-0x0000000000476000-memory.dmp

Filesize
728KB

Download
memory/908-55-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/908-56-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/908-57-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/908-58-0x0000000004840000-0x00000000048BE000-memory.dmp

Filesize
504KB

Download
memory/908-59-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads