f251e63c6a599dd80da55e413f7571bf514213ed18c0816a40a4939eca6fe1e1

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New PO-RJ-IN-003 - Knauf Queimados.exe
Size

396KB
MD5

244fc9610f75225aa3dc09958195beb1
SHA1

ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
SHA256

05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
SHA512

5e37d34becf476a92c2b14917819c9f9366d99313e971554b4a94d4fe09e05a761355033b5bb59faf3d0a1e34621c31891ff4e5656a379aa581792a7ecc82f16
SSDEEP

6144:hBn7A5jMUCoQUg+p1vrgTr+H9I/LKUsBdVyXMLCMT5u9AG7Nmf:vrZ+1v0TSdcLKj0MLtlu9VNG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jaxdij.exe

pid process

1780 jaxdij.exe
Loads dropped DLL 1 IoCs

Processes:

New PO-RJ-IN-003 - Knauf Queimados.exe

pid process

1416 New PO-RJ-IN-003 - Knauf Queimados.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1780	jaxdij.exe

pid	process
1416	New PO-RJ-IN-003 - Knauf Queimados.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

New PO-RJ-IN-003 - Knauf Queimados.exe

description	pid	process	target process
PID 1416 wrote to memory of 1780	1416	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 1416 wrote to memory of 1780	1416	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 1416 wrote to memory of 1780	1416	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 1416 wrote to memory of 1780	1416	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe

C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe
"C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
"C:\Users\Admin\AppData\Local\Temp\jaxdij.exe" C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k
2⤵
- Executes dropped EXE
PID:1780

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
Filesize
144KB

MD5
2dd6c8b13ae7d028b0047435ff0dcb8a

SHA1
d50bc8834758e1583aee729b6c148e4849967097

SHA256
01cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a

SHA512
b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c

Download Submit
\Users\Admin\AppData\Local\Temp\jaxdij.exe
Filesize
144KB

MD5
2dd6c8b13ae7d028b0047435ff0dcb8a

SHA1
d50bc8834758e1583aee729b6c148e4849967097

SHA256
01cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a

SHA512
b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c

Download Submit
memory/1416-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1780-56-0x0000000000000000-mapping.dmp

Download