d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0

Analysis

max time kernel
232s
max time network
241s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe
Size

19KB
MD5

a15d75ce3d9234b5e1f4b7ac88764450
SHA1

41f947d09bfb0b2dfab65a30c89567541d14dad0
SHA256

d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0
SHA512

0b531d12c534768dea867ee57f8bcad81d73f544b7f577e80d4a499e81037e15369d95b4c93a49d79c347d52d38967e80b643e1a266336b79da04e867f6f37af
SSDEEP

192:oZ+f8PcQcQLHtJx1sgYrHHstHNTgR09DBH4tf95BYyenSuXnTDnFgN:uzP7cQB1sgKWt0R+DB295BdenlFg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	pdf_update.exe

Loads dropped DLL 4 IoCs

pid	Process
1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe
2040	pdf_update.exe
2040	pdf_update.exe
2040	pdf_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27
PID 1896 wrote to memory of 2040	1896	d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe	27

C:\Users\Admin\AppData\Local\Temp\d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe
"C:\Users\Admin\AppData\Local\Temp\d863b77a16ba4748e6e483d7f069d5adc997932920d33bdd2c38a7fbe232fec0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\pdf_update.exe
  "C:\Users\Admin\AppData\Local\Temp\pdf_update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
19KB

MD5
3e029dd25abf4fc98c762c36eae85aea

SHA1
4c0cc3b60c6c57f0851a2c5c78258e493d74dc16

SHA256
74960ea8c8b833b1dbd0081db5281caafbca786aeadd8fd1665dc113b3e0ca68

SHA512
9ec4ec02477afb3dc5d72e82ad47a49f86aac901675fa36eb950388e140a9d254b3a9ee684fca50fc3dc8a826eebcb6f4c1b635e056b19ac0b66a94c09c3ca02

Download Submit
memory/1896-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download