Overview

overview

7

Static

static

3

PO-4500119...df.exe

windows7-x64

3

PO-4500119...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 04:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-4500119534 Endüstri ve Ticaret Serbest Bölgesi.pdf.exe

  • Size

    941KB

  • MD5

    1d8c9798fd63d0f8d2c58877154f6983

  • SHA1

    a5545f0775799fe3e13fc7f1c7e4ddbcc36dfe93

  • SHA256

    77aebd9d4b0bc79ffe5e9c28f32d55b8c4666f06a1b96480f38cc937dcb286e4

  • SHA512

    c78160a2b10801df5bde4be30bc45812917ead4d6899ad5904935e0765d13e44aa69a9ef761087f40c7acde139c7109312252a296d362233ef1c803744f99503

  • SSDEEP

    24576:sPFKLriziS1Ntoqr6TO8ugUCC47Js+pzXG:Fi/tPGTZle4tnzXG

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-4500119534 Endüstri ve Ticaret Serbest Bölgesi.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-4500119534 Endüstri ve Ticaret Serbest Bölgesi.pdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UJZAtSs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1652
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1276
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:1520
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:2640
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
            2⤵
              PID:2796
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
              2⤵
                PID:2880

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp
                    Filesize

                    1KB

                    MD5

                    23760f4377d7b5149f4f39aa8acde874

                    SHA1

                    01785fbf71eaf2c83e2b95f3dba5edbdb92841cd

                    SHA256

                    3328070a99d964ef7d53deb104c640e86dc4ce9f02158005818484e1b24c2670

                    SHA512

                    e540e1c60b2cd2438e9419000c4f56b661061ffab8aa0be58e46b892adef53afbae803f0a29b01a9752c8a7cf0224b638c8230c994f189818a05ba68398bc5f0

                    Download Submit

                  • memory/2720-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2720-1-0x0000000000010000-0x0000000000102000-memory.dmp

                    Filesize

                    968KB

                    Download

                  • memory/2720-2-0x0000000000470000-0x000000000047A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/2720-3-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2720-4-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2720-5-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2720-6-0x00000000021D0000-0x0000000002234000-memory.dmp

                    Filesize

                    400KB

                    Download

                  • memory/2720-12-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

                    Filesize

                    9.9MB

                    Download