87e74d70762d254ec3910f692d7dd369b11c2d8747ec3ddca384a05a0121a813

Analysis

max time kernel
1s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-02-2022 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice-0898764_pdf.exe
Size

223KB
MD5

69864e354848c81e0b8c52aa201a8e1b
SHA1

7cbc031e83f665b0c84f97075fcff0747023e59f
SHA256

7d478663ff32b25b1a20ac1c3991a04e2c29f0ba38b7454095f4ce41de9b1dbd
SHA512

0837534e3dce30f4706efe86511cdf1d685f2f09f6bf6690808fdba6cb38c4821507ddfe9c96a36d77aa73fa36c0879c1f151a6e56cad59d0c0be82d012dee4d

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Invoice-0898764_pdf.exe

pid process

5100 Invoice-0898764_pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Invoice-0898764_pdf.exe

description pid process target process

PID 5100 set thread context of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 5100 set thread context of 1468	5100	Invoice-0898764_pdf.exe	Invoice-0898764_pdf.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Invoice-0898764_pdf.exe

pid	process
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe
5100	Invoice-0898764_pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Invoice-0898764_pdf.exe

pid process

5100 Invoice-0898764_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Invoice-0898764_pdf.exe

description	pid	process	target process
PID 5100 wrote to memory of 1468	5100	Invoice-0898764_pdf.exe	Invoice-0898764_pdf.exe
PID 5100 wrote to memory of 1468	5100	Invoice-0898764_pdf.exe	Invoice-0898764_pdf.exe
PID 5100 wrote to memory of 1468	5100	Invoice-0898764_pdf.exe	Invoice-0898764_pdf.exe
PID 5100 wrote to memory of 1468	5100	Invoice-0898764_pdf.exe	Invoice-0898764_pdf.exe

C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"
2⤵
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsw821F.tmp\ciqu855d1.dll
MD5
d35589fa175adeea3a42c7c2788bad88

SHA1
6f4694e093eb3e7bdd4e744237c6d430b4fcb376

SHA256
8f2c9be3e150f92a6f6713aa175b88579864139c2a0966bdf238ff83554f5d2c

SHA512
9443d2575087e5ee48f2d9a8a8a9debbd0513adc23b06b5bb1ce06bb1bbcfbcb0a1481dbea51e71483d8e8f04af93cefb4cca483683590eb6777a6734e5595a1

Download Submit