8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0

Analysis

max time kernel
34s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:14

Target

img1100020222911pdf.exe
Size

228KB
MD5

d74737867056221a34fb0f606f46b695
SHA1

26605c664c9b4b3bd1f007fa1068abb0bbfaf265
SHA256

8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
SHA512

5451a474a6cc55f220b43bfe0b65fe9ed2b7c66dfef0ab33b22e9b8fce26929235073ecd820681087100035b6091acf7106f927a98ca801696aa5e89c89901f4
SSDEEP

6144:QBn1GdcqsCyQBYm/Zyo49qd/XvU1jO6IJO:gONsCyQBPsvmyjO6yO

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

eshbtmyh.exe

pid process

1956 eshbtmyh.exe
Loads dropped DLL 2 IoCs

Processes:

img1100020222911pdf.exe

pid process

1612 img1100020222911pdf.exe
1612 img1100020222911pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1956	eshbtmyh.exe

pid	process
1612	img1100020222911pdf.exe
1612	img1100020222911pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

img1100020222911pdf.exe

description	pid	process	target process
PID 1612 wrote to memory of 1956	1612	img1100020222911pdf.exe	eshbtmyh.exe
PID 1612 wrote to memory of 1956	1612	img1100020222911pdf.exe	eshbtmyh.exe
PID 1612 wrote to memory of 1956	1612	img1100020222911pdf.exe	eshbtmyh.exe
PID 1612 wrote to memory of 1956	1612	img1100020222911pdf.exe	eshbtmyh.exe

C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
  "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
  2⤵
  - Executes dropped EXE
  PID:1956

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download