1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b

Analysis

max time kernel
153s
max time network
190s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe
Size

20KB
MD5

a21200f5070f77f0ad42266a96968750
SHA1

d3aac7c3572851be156f093dfc3d195ddb70bd62
SHA256

1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b
SHA512

31a0d9a6a9cda18c0f8d48036089b61fc9fc54804453d7274c79faa0c984d30b9ad3f3bb387fde51e882ed09d0f7b5911a5417932268a26a5e8ed1127b2fe2f7
SSDEEP

192:oZ+f8PcQcQLHtJx1sgYrHHstHNTgR09DBH4tf95BYyenSuXnTMCd1cpN2:uzP7cQB1sgKWt0R+DB295BdenlICdP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1248	pdf_update.exe

Loads dropped DLL 4 IoCs

pid	Process
1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe
1248	pdf_update.exe
1248	pdf_update.exe
1248	pdf_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28
PID 1376 wrote to memory of 1248	1376	1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe	28

C:\Users\Admin\AppData\Local\Temp\1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe
"C:\Users\Admin\AppData\Local\Temp\1ca7025e62bc8fa5186a3af74f3795cc8e2b53cc888002c80ecedd5dc70a7e4b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\pdf_update.exe
  "C:\Users\Admin\AppData\Local\Temp\pdf_update.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
\Users\Admin\AppData\Local\Temp\pdf_update.exe

Filesize
20KB

MD5
e10e123a41c82e025456afda12a88796

SHA1
d3bac5440a1288f5d8d6b9dee12749451c761ee9

SHA256
070b4ca9a3fa22345e977cdb41f3573e4f4228fec8a31575bc78678db18d4190

SHA512
f37ca69bff0af46e6d73f69bfbdb3f71b3ca856971acf3f76d9c49acf667aaf7bc5f96e90ff73eefcf17a5b6f7ff5c7644b4ba4d3609d57bb7a9acb1d5794261

Download Submit
memory/1376-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download