dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 07:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe
Size

48KB
MD5

059e4f5975a09168909f0f5683e528d0
SHA1

da487e27c3f51488eb7f9661ee513a8ff02fb516
SHA256

dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af
SHA512

d50c6e588ddbd67452bb72309a8425e7943be9379c7158e112ab33800ced17cd0680ade4ff8452e1a0e91d7bb753e9c4e56846b7a9afae0f9f12220da55f68a2
SSDEEP

768:E94SV/FezvwVnrBkhICPgBqhUh/BE2fEDYiAnXeVYHITiXf:E946uvwAuqCk2d3MYHITiP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
972	updpdf.exe

Loads dropped DLL 1 IoCs

pid	Process
1380	dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 972	1380	dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe	27
PID 1380 wrote to memory of 972	1380	dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe	27
PID 1380 wrote to memory of 972	1380	dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe	27
PID 1380 wrote to memory of 972	1380	dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe	27

C:\Users\Admin\AppData\Local\Temp\dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe
"C:\Users\Admin\AppData\Local\Temp\dd1acff26190113e2596b2d703e326537b32250aa41823b34582f9d2926301af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\updpdf.exe
  "C:\Users\Admin\AppData\Local\Temp\updpdf.exe"
  2⤵
  - Executes dropped EXE
  PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\updpdf.exe

Filesize
48KB

MD5
e6854add28812a5e7697b1fc821c790a

SHA1
7f04dba0f985a79693b83272b48691ce7383d27c

SHA256
40c65b6dd6b766af35cbeedb2481864484b080760a35323a0baf325998c0ec90

SHA512
bf714a3f8e1dc921d0e26e946d013d6f2a4577a6a8c7bfd3ba3b9f07714cd7d3da5c618e2564af096bc2ab7f0a4a8fffd3412e2a635cdecc3829aeaabdcfd8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\updpdf.exe

Filesize
48KB

MD5
e6854add28812a5e7697b1fc821c790a

SHA1
7f04dba0f985a79693b83272b48691ce7383d27c

SHA256
40c65b6dd6b766af35cbeedb2481864484b080760a35323a0baf325998c0ec90

SHA512
bf714a3f8e1dc921d0e26e946d013d6f2a4577a6a8c7bfd3ba3b9f07714cd7d3da5c618e2564af096bc2ab7f0a4a8fffd3412e2a635cdecc3829aeaabdcfd8b9

Download Submit
\Users\Admin\AppData\Local\Temp\updpdf.exe

Filesize
48KB

MD5
e6854add28812a5e7697b1fc821c790a

SHA1
7f04dba0f985a79693b83272b48691ce7383d27c

SHA256
40c65b6dd6b766af35cbeedb2481864484b080760a35323a0baf325998c0ec90

SHA512
bf714a3f8e1dc921d0e26e946d013d6f2a4577a6a8c7bfd3ba3b9f07714cd7d3da5c618e2564af096bc2ab7f0a4a8fffd3412e2a635cdecc3829aeaabdcfd8b9

Download Submit
memory/1380-54-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download
memory/1380-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-56-0x0000000004000000-0x0000000004005000-memory.dmp

Filesize
20KB

Download