Analysis
-
max time kernel
1s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 23:18
Static task
static1
Behavioral task
behavioral1
Sample
Invoice-0898764_pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Invoice-0898764_pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
Invoice-0898764_pdf.exe
-
Size
223KB
-
MD5
69864e354848c81e0b8c52aa201a8e1b
-
SHA1
7cbc031e83f665b0c84f97075fcff0747023e59f
-
SHA256
7d478663ff32b25b1a20ac1c3991a04e2c29f0ba38b7454095f4ce41de9b1dbd
-
SHA512
0837534e3dce30f4706efe86511cdf1d685f2f09f6bf6690808fdba6cb38c4821507ddfe9c96a36d77aa73fa36c0879c1f151a6e56cad59d0c0be82d012dee4d
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Invoice-0898764_pdf.exepid process 5100 Invoice-0898764_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice-0898764_pdf.exedescription pid process target process PID 5100 set thread context of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Invoice-0898764_pdf.exepid process 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe 5100 Invoice-0898764_pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Invoice-0898764_pdf.exepid process 5100 Invoice-0898764_pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Invoice-0898764_pdf.exedescription pid process target process PID 5100 wrote to memory of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe PID 5100 wrote to memory of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe PID 5100 wrote to memory of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe PID 5100 wrote to memory of 1468 5100 Invoice-0898764_pdf.exe Invoice-0898764_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice-0898764_pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsw821F.tmp\ciqu855d1.dllMD5
d35589fa175adeea3a42c7c2788bad88
SHA16f4694e093eb3e7bdd4e744237c6d430b4fcb376
SHA2568f2c9be3e150f92a6f6713aa175b88579864139c2a0966bdf238ff83554f5d2c
SHA5129443d2575087e5ee48f2d9a8a8a9debbd0513adc23b06b5bb1ce06bb1bbcfbcb0a1481dbea51e71483d8e8f04af93cefb4cca483683590eb6777a6734e5595a1