030e7b505d912efbdebba3bd4c0783f029d8bd4caf54ecf988427e47cdea0b16

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Transfer Request_pdf.exe
Size

261KB
MD5

5083abe9d59d3fa08c31af8a52a6fc52
SHA1

0a321017cb103515232af89c9648c5b0423d603f
SHA256

030e7b505d912efbdebba3bd4c0783f029d8bd4caf54ecf988427e47cdea0b16
SHA512

3e16697e5ec1a06476a17147abfc1995ddd6620bb6a60351e2a8cd8077137af67d6b11ff4d08f618676b98d6797a75ff175750624546bc84e4eb9f3ae7a02b45
SSDEEP

6144:QBn1jjE5+EdKaAHyu/IVOzxjl9ZY1X7lOlSrXhZ1zanK29tr1HEQwo+:gjw5+EXBugVO9L+1X70wr71eHH+o+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ddsrh.exe

pid process

1288 ddsrh.exe
Loads dropped DLL 1 IoCs

Processes:

Transfer Request_pdf.exe

pid process

1284 Transfer Request_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1288	ddsrh.exe

pid	process
1284	Transfer Request_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Transfer Request_pdf.exe

description	pid	process	target process
PID 1284 wrote to memory of 1288	1284	Transfer Request_pdf.exe	ddsrh.exe
PID 1284 wrote to memory of 1288	1284	Transfer Request_pdf.exe	ddsrh.exe
PID 1284 wrote to memory of 1288	1284	Transfer Request_pdf.exe	ddsrh.exe
PID 1284 wrote to memory of 1288	1284	Transfer Request_pdf.exe	ddsrh.exe

C:\Users\Admin\AppData\Local\Temp\Transfer Request_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Transfer Request_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\ddsrh.exe
"C:\Users\Admin\AppData\Local\Temp\ddsrh.exe" C:\Users\Admin\AppData\Local\Temp\bwtlvmcfq.pbk
2⤵
- Executes dropped EXE
PID:1288

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddsrh.exe
Filesize
122KB

MD5
dcb1a737b2307f78f3afef6397e0b429

SHA1
2ccf9bf6dce9c62591a7720560f9722e6a03e946

SHA256
d39b47bb2f74019385b853b2aa7af0b56110f7ed55c9326c5ae92eaac65c4a7b

SHA512
5cb0fbaebc32cf30141a475507a8da9156dcdf99c4f65b82d4036c77099ae6ebe42fdc12c942fe38a702f5d1669c55147af4904ce3bbbbb4c374a57502ceb62b

Download Submit
\Users\Admin\AppData\Local\Temp\ddsrh.exe
Filesize
122KB

MD5
dcb1a737b2307f78f3afef6397e0b429

SHA1
2ccf9bf6dce9c62591a7720560f9722e6a03e946

SHA256
d39b47bb2f74019385b853b2aa7af0b56110f7ed55c9326c5ae92eaac65c4a7b

SHA512
5cb0fbaebc32cf30141a475507a8da9156dcdf99c4f65b82d4036c77099ae6ebe42fdc12c942fe38a702f5d1669c55147af4904ce3bbbbb4c374a57502ceb62b

Download Submit
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1288-56-0x0000000000000000-mapping.dmp

Download