6581212a5a17193ec0a33c6df595b5d3718ffd2cf139f9e6d6200496511d4c99

Resubmissions

31-10-2022 11:02

221031-m5mkbaagb9 10

27-10-2022 17:41

221027-v9ez2adagn 10

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mutual_67.pdf.exe
Size

316KB
MD5

982bf5b99b3ca20cfc0d93444ca1c40d
SHA1

77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da
SHA256

7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1
SHA512

d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508
SSDEEP

6144:4t5hBPi0BW69hd1MMdxPe9N9uA069TBBGFrnn:4tzww69TTI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
276	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
276	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
276	AcroRd32.exe
276	AcroRd32.exe
276	AcroRd32.exe
276	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1036	1280	Mutual_67.pdf.exe	27
PID 1280 wrote to memory of 1036	1280	Mutual_67.pdf.exe	27
PID 1280 wrote to memory of 1036	1280	Mutual_67.pdf.exe	27
PID 1036 wrote to memory of 636	1036	cmd.exe	29
PID 1036 wrote to memory of 636	1036	cmd.exe	29
PID 1036 wrote to memory of 636	1036	cmd.exe	29
PID 1036 wrote to memory of 276	1036	cmd.exe	30
PID 1036 wrote to memory of 276	1036	cmd.exe	30
PID 1036 wrote to memory of 276	1036	cmd.exe	30
PID 1036 wrote to memory of 276	1036	cmd.exe	30
PID 636 wrote to memory of 1816	636	WScript.exe	31
PID 636 wrote to memory of 1816	636	WScript.exe	31
PID 636 wrote to memory of 1816	636	WScript.exe	31

C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC88.tmp\FC89.tmp\FC8A.bat C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\name.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\System32\cmdkey.exe
      "C:\Windows\System32\cmdkey.exe" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip /pass:kLjBEyO /user:""
      4⤵
      PID:1816
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mutual.pdf"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FC88.tmp\FC89.tmp\FC8A.bat

Filesize
1KB

MD5
38c904eb3b649ccd3cbf61d57b76c046

SHA1
1a699545e71e81c4c04ca1894bc3be9cc8f024b1

SHA256
4e58072d8f22782ef8e4e5a97ac7178cc7cd9a69b925ffe71537e79097263924

SHA512
a3613cd67349f05a1c4441202b100beac89ac0462f05586bed65bc28041488b03891dd86f7e80eb24ae2834a1b6929368db6d5f13a0d58904c3157e9a6363c86

Download Submit
memory/276-104-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1280-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download