14bdd5687f39ec45ec665c360a96e503e0d6abfcb5ce7dc7285cbf2c16e9b92f

General

Target

test.exe
Size

2.7MB
MD5

8fd4a4a504f74b802bfdaf03ec95a036
SHA1

ef941774c3c50582ffaae6cfce6f18e50b7cf5d2
SHA256

14bdd5687f39ec45ec665c360a96e503e0d6abfcb5ce7dc7285cbf2c16e9b92f
SHA512

257f8084312bfbff3465cc5c484c7218f5bda1fa8b820c358ae40b6384e24373763d1f805d1e8d85a5418fc51c8d80959edf673ff3a467f2f523a6a2c53c45ba
SSDEEP

49152:IBJhO6U1TlVSlRRltLYRd9mJ61KcWRN92hz61IiEEI3gL0td49T1LSqah:yjO6U1hVSlR/te2cPo+iI4z+P

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	Mutual_67.pdf.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	test.exe
1476	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
556	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
556	AcroRd32.exe
556	AcroRd32.exe
556	AcroRd32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1292	1476	test.exe	27
PID 1476 wrote to memory of 1292	1476	test.exe	27
PID 1476 wrote to memory of 1292	1476	test.exe	27
PID 1476 wrote to memory of 1292	1476	test.exe	27
PID 1292 wrote to memory of 2024	1292	Mutual_67.pdf.exe	28
PID 1292 wrote to memory of 2024	1292	Mutual_67.pdf.exe	28
PID 1292 wrote to memory of 2024	1292	Mutual_67.pdf.exe	28
PID 2024 wrote to memory of 720	2024	cmd.exe	30
PID 2024 wrote to memory of 720	2024	cmd.exe	30
PID 2024 wrote to memory of 720	2024	cmd.exe	30
PID 2024 wrote to memory of 556	2024	cmd.exe	31
PID 2024 wrote to memory of 556	2024	cmd.exe	31
PID 2024 wrote to memory of 556	2024	cmd.exe	31
PID 2024 wrote to memory of 556	2024	cmd.exe	31
PID 720 wrote to memory of 296	720	WScript.exe	32
PID 720 wrote to memory of 296	720	WScript.exe	32
PID 720 wrote to memory of 296	720	WScript.exe	32

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7427.tmp\7428.tmp\7429.bat C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\name.js"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\System32\cmdkey.exe
        
        "C:\Windows\System32\cmdkey.exe" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip /pass:kLjBEyO /user:""
        5⤵
        
        PID:296
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mutual.pdf"
      4⤵
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of SetWindowsHookEx
      PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7427.tmp\7428.tmp\7429.bat

Filesize
1KB

MD5
38c904eb3b649ccd3cbf61d57b76c046

SHA1
1a699545e71e81c4c04ca1894bc3be9cc8f024b1

SHA256
4e58072d8f22782ef8e4e5a97ac7178cc7cd9a69b925ffe71537e79097263924

SHA512
a3613cd67349f05a1c4441202b100beac89ac0462f05586bed65bc28041488b03891dd86f7e80eb24ae2834a1b6929368db6d5f13a0d58904c3157e9a6363c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mutual.pdf

Filesize
70KB

MD5
9672b8df2bfb3d9435b85e477dfead51

SHA1
be76ec9e0b5f903afea0943e9bbc7ffd6ef2766f

SHA256
73c818b60eea60e6c1a1e5688a373c6b8376ca4ea2ff269695fe6eeef134b3c8

SHA512
d3709875302560b329c6588c33a0fb7bf0083992298e9e26cd8282537f1224f720153df95af7fbc46b53531ba9fe8ff8af5370e9b7dc120a783e0fa44f4501b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe

Filesize
316KB

MD5
982bf5b99b3ca20cfc0d93444ca1c40d

SHA1
77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

SHA256
7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

SHA512
d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

Download Submit
C:\Users\Admin\AppData\Local\Temp\name.js

Filesize
2.9MB

MD5
a9f348be577f108d379aad0028581b62

SHA1
1b40e0080a659f9be8bc5f7d6ca55f455a8878d2

SHA256
9738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366

SHA512
6cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274

Download Submit
\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe

Filesize
316KB

MD5
982bf5b99b3ca20cfc0d93444ca1c40d

SHA1
77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

SHA256
7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

SHA512
d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

Download Submit
\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe

Filesize
316KB

MD5
982bf5b99b3ca20cfc0d93444ca1c40d

SHA1
77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

SHA256
7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

SHA512
d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

Download Submit
memory/1292-59-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing