385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc

Analysis

max time kernel
153s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe
Size

939KB
MD5

969744a19a4b06f4c2af3a0b19ab8940
SHA1

30d9b21cf53f4496cf5efee89647bed9b6ce54b7
SHA256

385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc
SHA512

3aa0803a6951ddce58e72e6a92f8940b9d2e0207161f130f3fbb4d9845120806862807d08e89d4cf214031f1768dff49723d41aa3d26d106abd5a6a713e462a0
SSDEEP

24576:+RmJkcoQricOIQxiZY1iaiTgPMZcVnLobCn:rJZoQrbTFZY1iaiTCobCn

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
988	AcroRd32.exe
988	AcroRd32.exe
988	AcroRd32.exe
988	AcroRd32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1800	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	26
PID 1184 wrote to memory of 1800	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	26
PID 1184 wrote to memory of 1800	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	26
PID 1184 wrote to memory of 1800	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	26
PID 1800 wrote to memory of 988	1800	cmd.exe	28
PID 1800 wrote to memory of 988	1800	cmd.exe	28
PID 1800 wrote to memory of 988	1800	cmd.exe	28
PID 1800 wrote to memory of 988	1800	cmd.exe	28
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29
PID 1184 wrote to memory of 948	1184	385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe	29

C:\Users\Admin\AppData\Local\Temp\385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe
"C:\Users\Admin\AppData\Local\Temp\385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\952824\FILEPD~1.PDF
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\952824\FILE.PDF.pdf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:988
- C:\Users\Admin\AppData\Local\Temp\385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe
  "C:\Users\Admin\AppData\Local\Temp\385686f0dc1f7b0bb60422b2af4e921e95c4f5bbea20ec2e38b0f25ce50b4dcc.exe"
  2⤵
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\952824\FILE.PDF.pdf

Filesize
934B

MD5
2d5fb5d0e065bb36e3215f7112974047

SHA1
b2d93d366e67dc2975adf2d4f6dfdb0c3b67808a

SHA256
46906cf195855b0d1c04fca87fad5252c6f77dba84744bb195d5338f4540b558

SHA512
8d05745883f420bca6664b73112de682ebba89e6ea013e38cc7a2944354fecc1a3ee3893ad04f01444b5f33f9edeccfdedfad07196a44d2df6c7cd2cf49118bb

Download Submit
memory/948-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/948-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download