b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER SAMPLE LITS.pdf.exe
Size

829KB
MD5

29ab96aab2936a83493071d8bbd1152b
SHA1

c0ffbc52934f45ac5de2af1bc545a11f3d961713
SHA256

b8a047e3cd4389b70d5328f8828567ecfd7d308aaa8023f27d2eae441c8b2c05
SHA512

25a083b2b89d96b6aa10a280e82e2837d6d0659e3d33c16528b87210df5022e5264588e93246fdbedef9ad2bb8410a88c7e7ed302bf93c938f26292b4d72f06a
SSDEEP

12288:f3DkEGDINi1EwkG8/sHWihcD8hwbL8tN2cEFLjGPSciSYoIjYtl0xzyuxHHmC5:/DkUNi1EvGVWD8u8EGac3YoIxpV5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
880	PO.exe

Loads dropped DLL 9 IoCs

pid	Process
2404	NEW ORDER SAMPLE LITS.pdf.exe
2404	NEW ORDER SAMPLE LITS.pdf.exe
2404	NEW ORDER SAMPLE LITS.pdf.exe
2404	NEW ORDER SAMPLE LITS.pdf.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	880	WerFault.exe	29

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1632	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 880	2404	NEW ORDER SAMPLE LITS.pdf.exe	29
PID 2404 wrote to memory of 880	2404	NEW ORDER SAMPLE LITS.pdf.exe	29
PID 2404 wrote to memory of 880	2404	NEW ORDER SAMPLE LITS.pdf.exe	29
PID 2404 wrote to memory of 880	2404	NEW ORDER SAMPLE LITS.pdf.exe	29
PID 880 wrote to memory of 2408	880	PO.exe	32
PID 880 wrote to memory of 2408	880	PO.exe	32
PID 880 wrote to memory of 2408	880	PO.exe	32
PID 880 wrote to memory of 2408	880	PO.exe	32

C:\Users\Admin\AppData\Local\Temp\NEW ORDER SAMPLE LITS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER SAMPLE LITS.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 664
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2408

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
562KB

MD5
1bad855e1df90fd74c5b3805f36f5639

SHA1
0eb7fa3a9bccc07282bef5550a904dd2a41e88e8

SHA256
30ff178e9964e2d9400fae08753513e59cf2f82271f466169afc0daf3769ecb6

SHA512
f77be8f0ef65468e4306bf782e062b9f17bb8e62235f71a507e528f08246c968013c68bc9cf046f8dc8c7c4c1079dae65a99749821fb16df4836bdbfcfd7745c

Download Submit
memory/880-76-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/880-78-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/880-80-0x00000000733E0000-0x0000000073ACE000-memory.dmp

Filesize
6.9MB

Download
memory/880-81-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/880-82-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/880-75-0x00000000733E0000-0x0000000073ACE000-memory.dmp

Filesize
6.9MB

Download
memory/880-74-0x00000000010F0000-0x0000000001182000-memory.dmp

Filesize
584KB

Download
memory/1632-79-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-59-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-58-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2404-57-0x0000000002310000-0x0000000002312000-memory.dmp

Filesize
8KB

Download