3120fb515a817d8915abf32e676fb1d99a46bcbcae772959364f9957176747b6

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT OF OUTSTANDING BILLS.pdf.exe
Size

644KB
MD5

432c2dd84816f93dcb064c273e51fe60
SHA1

6c3c24235db1b66bf265ea3b103a592a5291d44e
SHA256

721ca582a7a8e00d9421c1acaa52906cfe9219cb13be9646b713462e48198c54
SHA512

ee04fbc1756eecc5907fbcda3003ccabaaf1244e20ee6296115e42979df6fcae67a35ccfc2fb995d3ce5f4f37da81892e41bf0ddf277056d038c01b728a69695
SSDEEP

12288:KURF2iNqUCemnN5t3xUIa0bwol55hsqkMTVIAqXvfIKWOr8JCsBJ1D7j2mEVLIE:KCF14WmrjUtoVhsqkMVIpvAKb4teREE

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2672	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	30
PID 2212 wrote to memory of 2672	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	30
PID 2212 wrote to memory of 2672	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	30
PID 2212 wrote to memory of 2672	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	30
PID 2212 wrote to memory of 2736	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	32
PID 2212 wrote to memory of 2736	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	32
PID 2212 wrote to memory of 2736	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	32
PID 2212 wrote to memory of 2736	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	32
PID 2212 wrote to memory of 2548	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	34
PID 2212 wrote to memory of 2548	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	34
PID 2212 wrote to memory of 2548	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	34
PID 2212 wrote to memory of 2548	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	34
PID 2212 wrote to memory of 2540	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	35
PID 2212 wrote to memory of 2540	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	35
PID 2212 wrote to memory of 2540	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	35
PID 2212 wrote to memory of 2540	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	35
PID 2212 wrote to memory of 2900	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	36
PID 2212 wrote to memory of 2900	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	36
PID 2212 wrote to memory of 2900	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	36
PID 2212 wrote to memory of 2900	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	36
PID 2212 wrote to memory of 2708	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	37
PID 2212 wrote to memory of 2708	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	37
PID 2212 wrote to memory of 2708	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	37
PID 2212 wrote to memory of 2708	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	37
PID 2212 wrote to memory of 764	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	38
PID 2212 wrote to memory of 764	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	38
PID 2212 wrote to memory of 764	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	38
PID 2212 wrote to memory of 764	2212	PAYMENT OF OUTSTANDING BILLS.pdf.exe	38

C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Qigahd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Qigahd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAE4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT OF OUTSTANDING BILLS.pdf.exe"
  2⤵
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDAE4.tmp

Filesize
1KB

MD5
68fe928082dbb9fe960273f4a0f0d694

SHA1
29d9d508af975c36608df3a07a3db9bb965e5f77

SHA256
afd27dc7888521b1c61ca14c46b30fbb447b2de066e6e7e73f4416248d57283d

SHA512
aff47ac891881af07b3ad6d7c6ba4642e633ee9682f58571119a4860bb720e1eb237ddf43c731097c39d566f260744e51bb7400beae905078e2d60951a163627

Download Submit
memory/2212-6-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2212-1-0x0000000000390000-0x0000000000438000-memory.dmp

Filesize
672KB

Download
memory/2212-3-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/2212-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-5-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2212-0-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-7-0x00000000053E0000-0x000000000545C000-memory.dmp

Filesize
496KB

Download
memory/2212-2-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2212-15-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-16-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-17-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2672-18-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2672-19-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2672-20-0x000000006E810000-0x000000006EDBB000-memory.dmp

Filesize
5.7MB

Download