Analysis
-
max time kernel
45s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
img1100020222911pdf.exe
Resource
win7-20221111-en
General
-
Target
img1100020222911pdf.exe
-
Size
228KB
-
MD5
d74737867056221a34fb0f606f46b695
-
SHA1
26605c664c9b4b3bd1f007fa1068abb0bbfaf265
-
SHA256
8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
-
SHA512
5451a474a6cc55f220b43bfe0b65fe9ed2b7c66dfef0ab33b22e9b8fce26929235073ecd820681087100035b6091acf7106f927a98ca801696aa5e89c89901f4
-
SSDEEP
6144:QBn1GdcqsCyQBYm/Zyo49qd/XvU1jO6IJO:gONsCyQBPsvmyjO6yO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
eshbtmyh.exepid process 568 eshbtmyh.exe -
Loads dropped DLL 2 IoCs
Processes:
img1100020222911pdf.exepid process 904 img1100020222911pdf.exe 904 img1100020222911pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
img1100020222911pdf.exedescription pid process target process PID 904 wrote to memory of 568 904 img1100020222911pdf.exe eshbtmyh.exe PID 904 wrote to memory of 568 904 img1100020222911pdf.exe eshbtmyh.exe PID 904 wrote to memory of 568 904 img1100020222911pdf.exe eshbtmyh.exe PID 904 wrote to memory of 568 904 img1100020222911pdf.exe eshbtmyh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz2⤵
- Executes dropped EXE
PID:568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exeFilesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
\Users\Admin\AppData\Local\Temp\eshbtmyh.exeFilesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
\Users\Admin\AppData\Local\Temp\eshbtmyh.exeFilesize
59KB
MD5c23565b815af9468d59e97b63aadce26
SHA151fe24f24c98738ce936d9f9a66d759297018729
SHA256511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6
SHA5129553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6
-
memory/568-57-0x0000000000000000-mapping.dmp
-
memory/904-54-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB