Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
27-10-2022 11:43
General
-
Target
Shipment Document BL,INV and packing list.jpg.exe
-
Size
323KB
-
MD5
858a0b8a0c24df21ce22f3ff702a3737
-
SHA1
f285429ebe2a75c143abe1fd579c979122c6afe0
-
SHA256
88819addd430324a7461bdf59c1ab994bc613bb2b17f09e572b7ba1c0c47e6f9
-
SHA512
cfdab69ebe17d666b05a399c935a28f411a9bc1a5c014dd1fa533043992b7a947d6417982011b9fabc76c21d2d294d6384a2157580fc30b4ef46e53eb0c57ca7
-
SSDEEP
6144:/6dbOGzzzzzzzzzzzzzzzzzzzzzzzzzzzzkzTzzzzzzQtkauL/sVfEBlUbrQ2Inh:itka2UbrQlZI/JTV6V7KAF
Malware Config
Signatures
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso6357.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/1492-66-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1492-56-0x0000000003720000-0x0000000003821000-memory.dmpFilesize
1.0MB
-
memory/1492-57-0x0000000003720000-0x0000000003821000-memory.dmpFilesize
1.0MB
-
memory/1492-58-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1492-61-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1492-74-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1492-63-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1492-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1492-73-0x0000000003720000-0x0000000003821000-memory.dmpFilesize
1.0MB
-
memory/1984-64-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1984-67-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/1984-68-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1984-71-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1984-72-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1984-65-0x00000000001C0000-0x00000000002C0000-memory.dmpFilesize
1024KB
-
memory/1984-62-0x0000000000403235-mapping.dmp