Overview

overview

9

Static

static

Message.Pd...__.exe

windows7-x64

9

Message.Pd...__.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 21:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Message.Pdf_____________________________________________________________.exe

  • Size

    459KB

  • MD5

    31559db5ce662400dccef6f781b4218d

  • SHA1

    66567121269f253f0282ecc04ad981dae54959d9

  • SHA256

    b89e0e608175629cb724fa36e35147a81a0d48b3b1c15656783b47e7b9bd8845

  • SHA512

    a5099e62537179fcda5e039cf0dace1753c5db550edb505dfdbbb1d342b5566d6cd712e48a8d9f900be947904aa4ea330d3d41cd7b9db0655837dc5ec93373a9

  • SSDEEP

    12288:pnUNbLVGziGw9t89zIFEqJAosf6yqTRNnh:uNLVMxu7fh

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Message.Pdf_____________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Message.Pdf_____________________________________________________________.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\Message.Pdf_____________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\Message.Pdf_____________________________________________________________.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1428
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ihyzetobyzizyqeq\01000000
    Filesize

    459KB

    MD5

    7a1a10f497640bcb9f6e5b69ea8e1d65

    SHA1

    e4addda58bc2b090dd9d1eb3ea647a4f4b81a0ef

    SHA256

    e600e191efaa308923c5e0d593c2177ce6748c7e0422b980e09cc606b5efdbfb

    SHA512

    5e492f07c56a869c558b05624fd38d2b2dd32174aa3353093e9975db6ba97bbeb507175e7630bc3c85f8d63101c65e1b05def9be422f97266923bfc22b7f9518

    Download Submit

  • memory/1452-54-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1512-62-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-78-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-60-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-64-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-66-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-68-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-69-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-55-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-61-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1512-58-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1716-76-0x0000000075471000-0x0000000075473000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1716-72-0x0000000000380000-0x00000000003BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1716-79-0x0000000000380000-0x00000000003BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1716-70-0x0000000000380000-0x00000000003BB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1716-81-0x0000000073011000-0x0000000073013000-memory.dmp

    Filesize

    8KB

    Download