74e150367f59cc92a48c8725120865c7b94312981a09d981760431da4485ed50

General

Target

hotel-requirements.pdf/hotel-requirements.pdf.scr
Size

564.4MB
MD5

7faa29f9a965143cf67f27c1455111c1
SHA1

f5c34c4399c2fca31c6ac05e14a566374c6732a9
SHA256

a06612c8c0ff60c840da39e7d8571e949716bdec4c4a6582fdaae25216907fbe
SHA512

2caffe5412262a291fa76a5887ccff316b3983a675a16d97c4dcde087ae3d3ccdb9685f66dbc999d1ade1888d6df45d015e1dd9bc0d396a2abf8761949bf3dd6
SSDEEP

786432:MA5OgdnGFPsX2YiMiqN7z5EYUj4Vtpe9oA4Jxo88nvcVkf/2npG4U:M4d2oiU7z5EZMre9GJxo8q0Vkf8a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Installer-Wizard_v1.4o.7n.exe

pid process

2012 Installer-Wizard_v1.4o.7n.exe
Loads dropped DLL 1 IoCs

Processes:

hotel-requirements.pdf.scr

pid process

2032 hotel-requirements.pdf.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1140 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1140 powershell.exe

pid	process
2012	Installer-Wizard_v1.4o.7n.exe

pid	process
2032	hotel-requirements.pdf.scr

pid	process
1140	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1140	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

hotel-requirements.pdf.scrInstaller-Wizard_v1.4o.7n.exe

description	pid	process	target process
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2032 wrote to memory of 2012	2032	hotel-requirements.pdf.scr	Installer-Wizard_v1.4o.7n.exe
PID 2012 wrote to memory of 1140	2012	Installer-Wizard_v1.4o.7n.exe	powershell.exe
PID 2012 wrote to memory of 1140	2012	Installer-Wizard_v1.4o.7n.exe	powershell.exe
PID 2012 wrote to memory of 1140	2012	Installer-Wizard_v1.4o.7n.exe	powershell.exe
PID 2012 wrote to memory of 1140	2012	Installer-Wizard_v1.4o.7n.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\hotel-requirements.pdf\hotel-requirements.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\hotel-requirements.pdf\hotel-requirements.pdf.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
"C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
Filesize
74.3MB

MD5
4ca5ed9d8c94d36e9291d79f98194dc2

SHA1
de70cc4d3bcc448c092c5bd99ee661373f76383d

SHA256
5877e8427328cf96115d79d42767fa65c4b54212a0ade9becb8effbc8d3b7074

SHA512
d8552f61a3de0170ca5002b02b64dd6a9ab613c8e49b292f310596e52042534fc6b6cb03a71cd63fb9ff8234dd4ff46313b59f29db26e3043af078e6674caded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
Filesize
74.3MB

MD5
4ca5ed9d8c94d36e9291d79f98194dc2

SHA1
de70cc4d3bcc448c092c5bd99ee661373f76383d

SHA256
5877e8427328cf96115d79d42767fa65c4b54212a0ade9becb8effbc8d3b7074

SHA512
d8552f61a3de0170ca5002b02b64dd6a9ab613c8e49b292f310596e52042534fc6b6cb03a71cd63fb9ff8234dd4ff46313b59f29db26e3043af078e6674caded

Download Submit
\Users\Admin\AppData\Local\Temp\Installer-Wizard_v1.4o.7n\Installer-Wizard_v1.4o.7n.exe
Filesize
74.3MB

MD5
4ca5ed9d8c94d36e9291d79f98194dc2

SHA1
de70cc4d3bcc448c092c5bd99ee661373f76383d

SHA256
5877e8427328cf96115d79d42767fa65c4b54212a0ade9becb8effbc8d3b7074

SHA512
d8552f61a3de0170ca5002b02b64dd6a9ab613c8e49b292f310596e52042534fc6b6cb03a71cd63fb9ff8234dd4ff46313b59f29db26e3043af078e6674caded

Download Submit
memory/1140-66-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1140-67-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1140-68-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1140-69-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1140-70-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1140-71-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2012-61-0x0000000000930000-0x0000000005376000-memory.dmp

Filesize
74.3MB

Download
memory/2012-62-0x00000000099D0000-0x0000000009A10000-memory.dmp

Filesize
256KB

Download
memory/2012-65-0x00000000099D0000-0x0000000009A10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing