75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01

Analysis

max time kernel
43s
max time network
44s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 07:36

Target

DHL Shipment_pdf.exe
Size

253KB
MD5

6c47810c50e5d51c52010f6497b192cc
SHA1

46c1da4c046006d84a306b824e2f9f65a034e389
SHA256

75487358663f47e70846be7ae195c335bb35cbe469c93503f537e75855082f01
SHA512

ab56561a813a1730a63c3d474178d7a0d57394979eb8d5babd98742a3556f4805b88e13c505dbf5169740cc0a3dbffb994b58284d9343f64d835042299e8bbcf
SSDEEP

6144:xBnQPEBXJ9LLlsp1mjwi2OsedFcBzX1GuW5uC1O:8P4Zc1Ow5eTcBbAn5u3

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

vwwufokaj.exe

pid process

1312 vwwufokaj.exe
Loads dropped DLL 1 IoCs

Processes:

DHL Shipment_pdf.exe

pid process

940 DHL Shipment_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1312	vwwufokaj.exe

pid	process
940	DHL Shipment_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DHL Shipment_pdf.exe

description	pid	process	target process
PID 940 wrote to memory of 1312	940	DHL Shipment_pdf.exe	vwwufokaj.exe
PID 940 wrote to memory of 1312	940	DHL Shipment_pdf.exe	vwwufokaj.exe
PID 940 wrote to memory of 1312	940	DHL Shipment_pdf.exe	vwwufokaj.exe
PID 940 wrote to memory of 1312	940	DHL Shipment_pdf.exe	vwwufokaj.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipment_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe
  "C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe" C:\Users\Admin\AppData\Local\Temp\pwpwushk.h
  2⤵
  - Executes dropped EXE
  PID:1312

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\vwwufokaj.exe

Filesize
46KB

MD5
27541d5316db05b650ab973fd2aec842

SHA1
ec706f8d9bced58fff747022891c64b6a2148d2f

SHA256
720ea640a85baea2835b01c5a6819dd7a129f97e5d4049b63f07b4e007eb8298

SHA512
ad0e19c92fd8f8e4025ae82a2b3caf89501f2a8e3073c910bf100a8a3c06fb1f62ea955e92dab23350ab7f92420c704740c2baba8782a923b7025f93b06dab73

Download Submit
\Users\Admin\AppData\Local\Temp\vwwufokaj.exe

Filesize
46KB

MD5
27541d5316db05b650ab973fd2aec842

SHA1
ec706f8d9bced58fff747022891c64b6a2148d2f

SHA256
720ea640a85baea2835b01c5a6819dd7a129f97e5d4049b63f07b4e007eb8298

SHA512
ad0e19c92fd8f8e4025ae82a2b3caf89501f2a8e3073c910bf100a8a3c06fb1f62ea955e92dab23350ab7f92420c704740c2baba8782a923b7025f93b06dab73

Download Submit
memory/940-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1312-56-0x0000000000000000-mapping.dmp

Download