79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10

General

Target

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
Size

4.6MB
MD5

fe1de0acb3aa75f88f61a784288a32d1
SHA1

d973f591f56c3d53aac4e2da4a3eede185c910d9
SHA256

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10
SHA512

084770ea021d7d52b50228d1ca6277a9fb5880ae22378c297d24b4bccaca7919a207954350f3257485c010ec0c0cdc6e6548a2508bba1e090647465aa160cf7e

Score

8^/10

link pdf

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exe

pid	process
1060	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
420	jskit.exe

Loads dropped DLL 1 IoCs

Processes:

jskit.exe

pid process

420 jskit.exe

pid	process
420	jskit.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

pid	process
2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

pid process

2200 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp

description	pid	process	target process
PID 2644 wrote to memory of 1060	2644	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 2644 wrote to memory of 1060	2644	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 2644 wrote to memory of 1060	2644	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 1060 wrote to memory of 1036	1060	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 1060 wrote to memory of 1036	1060	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 1060 wrote to memory of 1036	1060	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
PID 1036 wrote to memory of 2200	1036	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 1036 wrote to memory of 2200	1036	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 1036 wrote to memory of 2200	1036	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
PID 2200 wrote to memory of 420	2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe
PID 2200 wrote to memory of 420	2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe
PID 2200 wrote to memory of 420	2200	79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp	jskit.exe

C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\is-976RH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
"C:\Users\Admin\AppData\Local\Temp\is-976RH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$50054,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\is-1JVN4.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1JVN4.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$40120,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
"C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1JVN4.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
MD5
eb8e24c85edf254cf3f2c1344842b55f

SHA1
2da756889e7e93b4019bb91ff74cd06866a4ec86

SHA256
e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d

SHA512
e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-976RH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp
MD5
eb8e24c85edf254cf3f2c1344842b55f

SHA1
2da756889e7e93b4019bb91ff74cd06866a4ec86

SHA256
e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d

SHA512
e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe
MD5
81acde2ff13a5f79e0d172f3af07d7c0

SHA1
a07ce9830d50d2c3d94e7df41de032b04fe641d2

SHA256
c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d

SHA512
9d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dll
MD5
958de7dd326bd45460ecb5082064df4c

SHA1
42e0da2a5c761641cfa2ff8d57ea21a3325f7606

SHA256
f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c

SHA512
dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894

Download Submit
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf
MD5
bb126fef59e31540e493af1999478323

SHA1
2ee5422524e09b45c0bd0d7764c83febfa0e6ee7

SHA256
9c082fbbd7aaddf6eff01b1cc890bd9ed1348cb59278529a25119dbdcc5c1d15

SHA512
501c8c0088cec24ae33d21ffe9fa876cf1cb0cfe0f0b4b59860a32639c210fbfaa5babf79bed10020da85a7dd10c0351cfe61fcf305d65d665b6bdd5c918d32f

Download Submit
\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dll
MD5
958de7dd326bd45460ecb5082064df4c

SHA1
42e0da2a5c761641cfa2ff8d57ea21a3325f7606

SHA256
f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c

SHA512
dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894

Download Submit
memory/420-128-0x0000000000000000-mapping.dmp

Download
memory/1036-126-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1036-121-0x0000000000000000-mapping.dmp

Download
memory/1060-120-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/1060-118-0x0000000000000000-mapping.dmp

Download
memory/2200-127-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2200-124-0x0000000000000000-mapping.dmp

Download
memory/2644-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads