c48bbf430a5bbc50eeff81ed32a5ac8276f1c3c854058628f8241247a6da992d

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TEMPLATE LIST.pdf.exe
Size

780KB
MD5

fb83d61aba54d7e9acaf3d2fa859c941
SHA1

93c68b537d9a3c945bcc5165df63638afe9bae48
SHA256

9ce963b4ba27abdf1395a51e9063d5d24be8b5388702b17e8f3ee27e88ebc746
SHA512

502c6f14d0254bdde633c31094f7112099762c705a03cb6d5a87b19d25ca0457c64c23af8b4266bff097411fad776e6ab85c1d4d62a51c6535a431a72c06b290
SSDEEP

12288:/B1oVeoni0NjSchnp/UzinHZ0MYdB54+RIX2T4iY+MWPufcm4WksTzv9i:bo5bN2bzLBi+74iGWJWnHv

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 2740 set thread context of 1212	2740	TEMPLATE LIST.pdf.exe	21
PID 2740 set thread context of 2844	2740	TEMPLATE LIST.pdf.exe	37
PID 2844 set thread context of 1212	2844	cleanmgr.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1976	TEMPLATE LIST.pdf.exe
1976	TEMPLATE LIST.pdf.exe
2728	powershell.exe
1732	powershell.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2740	TEMPLATE LIST.pdf.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe
2844	cleanmgr.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2740	TEMPLATE LIST.pdf.exe
1212	Explorer.EXE
1212	Explorer.EXE
2844	cleanmgr.exe
2844	cleanmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	TEMPLATE LIST.pdf.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2728	1976	TEMPLATE LIST.pdf.exe	28
PID 1976 wrote to memory of 2728	1976	TEMPLATE LIST.pdf.exe	28
PID 1976 wrote to memory of 2728	1976	TEMPLATE LIST.pdf.exe	28
PID 1976 wrote to memory of 2728	1976	TEMPLATE LIST.pdf.exe	28
PID 1976 wrote to memory of 1732	1976	TEMPLATE LIST.pdf.exe	30
PID 1976 wrote to memory of 1732	1976	TEMPLATE LIST.pdf.exe	30
PID 1976 wrote to memory of 1732	1976	TEMPLATE LIST.pdf.exe	30
PID 1976 wrote to memory of 1732	1976	TEMPLATE LIST.pdf.exe	30
PID 1976 wrote to memory of 1736	1976	TEMPLATE LIST.pdf.exe	31
PID 1976 wrote to memory of 1736	1976	TEMPLATE LIST.pdf.exe	31
PID 1976 wrote to memory of 1736	1976	TEMPLATE LIST.pdf.exe	31
PID 1976 wrote to memory of 1736	1976	TEMPLATE LIST.pdf.exe	31
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1976 wrote to memory of 2740	1976	TEMPLATE LIST.pdf.exe	34
PID 1212 wrote to memory of 2844	1212	Explorer.EXE	37
PID 1212 wrote to memory of 2844	1212	Explorer.EXE	37
PID 1212 wrote to memory of 2844	1212	Explorer.EXE	37
PID 1212 wrote to memory of 2844	1212	Explorer.EXE	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\TEMPLATE LIST.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\TEMPLATE LIST.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TEMPLATE LIST.pdf.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XWoewdt.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XWoewdt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E7E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\TEMPLATE LIST.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\TEMPLATE LIST.pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2740
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\SysWOW64\cleanmgr.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4E7E.tmp

Filesize
1KB

MD5
0e658a7852d5ba0b9ac8299deb3e8771

SHA1
a4f6ebfb67a12b42b78be084f6151dcfc3f2376c

SHA256
08fad74344450a729dd888a2ffab273c2e9135f9428c4d4d8d0dae4b5e372bbf

SHA512
6e82ac832ae30caf2b078efcff080680d025e078cc271bcc09c144f452f99326beeff3f49111121127af5da76c000abc200d67d3ef116c9df193f8fa101e9cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bcceea4469e1fe2b2bca321f3fd1d937

SHA1
50faa3708229334cc53aa95806411dbe5d833dfd

SHA256
3c9a65644d336a4c62a739bb5a2dc3677bc78e32f20e368e30ccda7c45b2972e

SHA512
47095407ccedfc48818f35b5581c435fd5ccb5c4cf77b40ee30ad785dd24ce323513cf7485ed15888b0f7580e9f937042c89c111df379d6ad399ef3314aee841

Download Submit
memory/1212-38-0x0000000003230000-0x0000000003330000-memory.dmp

Filesize
1024KB

Download
memory/1212-41-0x0000000008EF0000-0x000000000A477000-memory.dmp

Filesize
21.5MB

Download
memory/1212-49-0x0000000008EF0000-0x000000000A477000-memory.dmp

Filesize
21.5MB

Download
memory/1732-28-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-24-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-34-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-5-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1976-27-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-6-0x000000000AA40000-0x000000000AACC000-memory.dmp

Filesize
560KB

Download
memory/1976-4-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/1976-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1976-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/1976-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1976-0-0x0000000000C70000-0x0000000000D36000-memory.dmp

Filesize
792KB

Download
memory/2728-26-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2728-25-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-29-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2728-30-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2728-31-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/2728-33-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-35-0x0000000000D40000-0x0000000001043000-memory.dmp

Filesize
3.0MB

Download
memory/2740-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-40-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/2740-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2740-45-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/2740-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-46-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/2844-47-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2844-48-0x0000000001F10000-0x0000000001FB0000-memory.dmp

Filesize
640KB

Download
memory/2844-43-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2844-50-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download