0d7f2b187239381646230ae6f03ce02a7bba8a95482df00f459904af60da902a

Analysis

max time kernel
3s
max time network
40s
platform
windows7_x64
resource
win7v20210410
submitted
29-06-2021 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_Order.exe
Size

337KB
MD5

39fcd8503fd2e6e2773a5b5176b5cfb0
SHA1

cbf286bec3ac50743352cdead151ca2be6bea121
SHA256

0d7f2b187239381646230ae6f03ce02a7bba8a95482df00f459904af60da902a
SHA512

fdb923a1639f27f74da659c635ab251e536fd75c7d05d2696e2e8d312c4a55f37bcd127b314d1606962335593713ae1cdfed129ba2d1bb7f3223b8d7d6926f95

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Purchase_Order.exe

pid process

1036 Purchase_Order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1036	Purchase_Order.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Purchase_Order.exe

description	pid	process	target process
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe
PID 1036 wrote to memory of 1800	1036	Purchase_Order.exe	Purchase_Order.exe

C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
2⤵
PID:1800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\diejc.dll
MD5
5e72c6604a2ea57e6b311e3103c1e53f

SHA1
34f2287255ed04551a5da72659e663f123613f26

SHA256
12f743c8c38d6f091300ca7b0dc380a88a3ceb5da025ed44b9a49991a47868b7

SHA512
c293cb5bdc2665ac7d7d55d8faf23dd7e4da220132b41eb0793cb348eb91b65fce19167c802a5a6a19cb35671c4a180e5fed9efdd7d31ede46425872afd1cedd

Download Submit
memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download