Overview

overview

9

Static

static

Processing...__.exe

windows7-x64

9

Processing...__.exe

windows10-2004-x64

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Processing.Pdf____________________________________________________________.exe

  • Size

    494KB

  • MD5

    cb607388d6b05dcf0d77fd06f563511d

  • SHA1

    85717a638f5a3cc62b2f5e25897fcee997f35070

  • SHA256

    8a375f861957b7effcda03ba43720d5bc14eeea97a33475a78b904714283d04e

  • SHA512

    3bc8cd97bad6c38711eb67ff88b7cc158d991677a0a07d3efb73837d43eaa7bdbd7fb96d2f5a225f5a4fc39cc1aa2a2c6cd4091d201da79cb7be98fd459c246a

  • SSDEEP

    6144:+7imLFJzjEIl1qcQL7twzWuWFyvgI/EhlRlI8tEUauf+zT3:6RljEIXZ6uaUgF3RllT+zT3

Score
9/10
collectionevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:1976
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1984
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\oziqemegewypyvuh\01000000
    Filesize

    494KB

    MD5

    39390d06e7c0d6dfe7cbcc09a55a1bb9

    SHA1

    06f4970c9efb79ac2abe88c58490badc7d97eab6

    SHA256

    735a519597741e99592413611fa50b559ca46e1e386a50239061dc667b272896

    SHA512

    14e41f2c67c62fd620d3e01578a2f078e26d361290df87004d6bee2cb5363b3f955c7256ee53cec550188b61d9805fe4b5fe9d590c2ebbbf47ade68dbdc177e6

    Download Submit

  • memory/1944-61-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-58-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-60-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-62-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-64-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-65-0x000000000040B4D3-mapping.dmp

    Download

  • memory/1944-68-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-69-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-78-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-66-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1944-55-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1960-54-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-76-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-74-0x000000000009BE80-mapping.dmp

    Download

  • memory/1976-72-0x0000000000080000-0x00000000000BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1976-79-0x0000000000080000-0x00000000000BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1976-82-0x0000000000080000-0x00000000000BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1976-81-0x0000000072821000-0x0000000072823000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-70-0x0000000000080000-0x00000000000BE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1984-80-0x0000000000000000-mapping.dmp

    Download