Analysis Overview
SHA256
780a7bc521dc90774e88f165ea90e23ef16f4f20f218aca8b1ba70731169b10c
Threat Level: Known bad
The file Citadele Banka__Maksajuma Kopija.pdf.bat was found to be: Known bad.
Malicious Activity Summary
Remcos
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 07:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 07:11
Reported
2024-08-15 07:14
Platform
win7-20240708-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZswdHDtpVJo.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZswdHDtpVJo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DC9.tmp"
C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.10.160.230:7983 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
Files
memory/2644-0-0x000000007490E000-0x000000007490F000-memory.dmp
memory/2644-1-0x0000000001240000-0x000000000133E000-memory.dmp
memory/2644-2-0x0000000074900000-0x0000000074FEE000-memory.dmp
memory/2644-3-0x0000000000740000-0x000000000075E000-memory.dmp
memory/2644-4-0x0000000000640000-0x0000000000656000-memory.dmp
memory/2644-5-0x0000000005F20000-0x0000000005FDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OR5Y0X851D8PFL8JVKE4.temp
| MD5 | b1314f02292f71b48258a88f1e44e890 |
| SHA1 | 7de1a55de5a336fecb8a38e05513e69d174a7e10 |
| SHA256 | 871a575b5e1faa8918ee2f68229e5c6356505d6cb904bb7cd63e67d915c6aacd |
| SHA512 | 999cbd8104c70afd0e234e081f192fb26688877989721d5bf6c337aec9f8bebc34d0b80d8e7e34125fd01b51135b2bdff88df768149bbf45f7d340c587f9d31e |
C:\Users\Admin\AppData\Local\Temp\tmp5DC9.tmp
| MD5 | 3963f91fe0c12662a7cb04a007b7cbb8 |
| SHA1 | c1863b248f660a68c84ff5dd3347505b02dd4d73 |
| SHA256 | 549f0b44eb679a252652082aac78732c997e0a1a86f795614c2e98b5fcab1792 |
| SHA512 | 228932fa5d22eb2112390229e78e3bd851b987d7db6032c7945c2009749851c4c818d5328fe8a4c69b9f3fc6639827ef0ef0d77cee9cf25dda176c8267e599e1 |
memory/3052-22-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-38-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-37-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-36-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-35-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3052-32-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-28-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-26-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-24-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-20-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-18-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-30-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2644-39-0x0000000074900000-0x0000000074FEE000-memory.dmp
memory/3052-40-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-41-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-42-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-45-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-46-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-47-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-49-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-50-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-51-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3052-52-0x0000000000400000-0x000000000047F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 07:11
Reported
2024-08-15 07:14
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Remcos
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3092 set thread context of 888 | N/A | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZswdHDtpVJo.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZswdHDtpVJo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD448.tmp"
C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Citadele Banka__Maksajuma Kopija.pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 204.10.160.230:7983 | tcp | |
| US | 8.8.8.8:53 | 230.160.10.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3092-0-0x000000007444E000-0x000000007444F000-memory.dmp
memory/3092-1-0x0000000000FA0000-0x000000000109E000-memory.dmp
memory/3092-2-0x0000000006070000-0x0000000006614000-memory.dmp
memory/3092-3-0x0000000005AC0000-0x0000000005B52000-memory.dmp
memory/3092-4-0x0000000005AA0000-0x0000000005AAA000-memory.dmp
memory/3092-6-0x0000000005D40000-0x0000000005DDC000-memory.dmp
memory/3092-5-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/3092-7-0x0000000006030000-0x000000000604E000-memory.dmp
memory/3092-8-0x0000000006D20000-0x0000000006D36000-memory.dmp
memory/3092-9-0x000000000ABA0000-0x000000000AC5E000-memory.dmp
memory/3092-14-0x000000007444E000-0x000000007444F000-memory.dmp
memory/4992-15-0x0000000002920000-0x0000000002956000-memory.dmp
memory/4992-17-0x0000000005540000-0x0000000005B68000-memory.dmp
memory/4992-18-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/3092-16-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/4992-19-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/4992-22-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/1624-21-0x00000000061C0000-0x0000000006226000-memory.dmp
memory/1624-20-0x0000000005A90000-0x0000000005AB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD448.tmp
| MD5 | bf6c44d5c1ca956b85b26bc6f00a36a2 |
| SHA1 | 539d8ee52837ac0e5d867fa742d773f1a44e5d85 |
| SHA256 | 9526bf06cb4a7578d0ceeda329d980d269f281ac88a402620b58e0a9d0c4ecc8 |
| SHA512 | a1dd2a90664124bd641cc8504a98c6580c23fc74c26557fb8c0d6f9a8e7efa69ced2fd7390971e2f4483796af50aa9f6782826986263b490053e31aa7a3960ea |
memory/1624-24-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/1624-26-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/1624-25-0x00000000062E0000-0x0000000006634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu4qbmgb.jaa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1624-36-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/888-46-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-49-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-48-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3092-51-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/4992-52-0x0000000006250000-0x000000000626E000-memory.dmp
memory/888-47-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4992-53-0x0000000006500000-0x000000000654C000-memory.dmp
memory/888-55-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-54-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-56-0x0000000000400000-0x000000000047F000-memory.dmp
memory/4992-60-0x0000000074CF0000-0x0000000074D3C000-memory.dmp
memory/4992-59-0x0000000006820000-0x0000000006852000-memory.dmp
memory/4992-70-0x0000000006800000-0x000000000681E000-memory.dmp
memory/4992-71-0x0000000007420000-0x00000000074C3000-memory.dmp
memory/1624-72-0x0000000074CF0000-0x0000000074D3C000-memory.dmp
memory/4992-83-0x0000000007570000-0x000000000758A000-memory.dmp
memory/4992-82-0x0000000007BC0000-0x000000000823A000-memory.dmp
memory/4992-84-0x00000000075E0000-0x00000000075EA000-memory.dmp
memory/4992-85-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/4992-86-0x0000000007770000-0x0000000007781000-memory.dmp
memory/1624-87-0x0000000007EB0000-0x0000000007EBE000-memory.dmp
memory/1624-88-0x0000000007EC0000-0x0000000007ED4000-memory.dmp
memory/1624-89-0x0000000007FC0000-0x0000000007FDA000-memory.dmp
memory/1624-90-0x0000000007FA0000-0x0000000007FA8000-memory.dmp
memory/1624-96-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/4992-97-0x0000000074440000-0x0000000074BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c4e71cf16b765ae39c281c22b5fde2ee |
| SHA1 | bb740f2fd53607902a44a5943a391ec3f9bac04d |
| SHA256 | 15081dc7d357011d19a985d73985812c6a75ce7f9466391e6b8f9d40495feb34 |
| SHA512 | 8fc73f9b4d5568a591b852fe058c9c21caa36de2cdb8054abce4a41e2868d7111694a81c773076c2ec1ea7ebde556332d1237bae27f2f54b3fcd0dd3627ee39c |
memory/888-99-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-98-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-100-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-101-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-102-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/888-105-0x0000000000400000-0x000000000047F000-memory.dmp