f11ff5bb01c4ad6c270b86f63b4209127d3521c98496f6bb2f021c99eaa881ba

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 09:18

Target

payment_copy3_receipt.exe
Size

535KB
MD5

ea670d2f2b5b772c59b790bcc65c59f6
SHA1

e173a6d224a97430b89bd06df5b2a4fb50b17a30
SHA256

f11ff5bb01c4ad6c270b86f63b4209127d3521c98496f6bb2f021c99eaa881ba
SHA512

b4567a35305637dc8380ca04d634cc291722063f89fe9150881314a24f985d4c218e95e9fec343269591db7a458915bd66946822403dcf86c51936121bc3b4bb
SSDEEP

6144:lBnlWGbqJ4rPFzGCMrjCA6YCZzhKpNv9l2Di9jGn5HdDJRwkOMsPPrs/Ja1UV:w84JrkYszhm32CcxddRws6j2J5V

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

gdbqzvhlf.exe

pid process

1080 gdbqzvhlf.exe
Loads dropped DLL 1 IoCs

Processes:

payment_copy3_receipt.exe

pid process

1284 payment_copy3_receipt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1080	gdbqzvhlf.exe

pid	process
1284	payment_copy3_receipt.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

payment_copy3_receipt.exe

description	pid	process	target process
PID 1284 wrote to memory of 1080	1284	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 1284 wrote to memory of 1080	1284	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 1284 wrote to memory of 1080	1284	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 1284 wrote to memory of 1080	1284	payment_copy3_receipt.exe	gdbqzvhlf.exe

C:\Users\Admin\AppData\Local\Temp\payment_copy3_receipt.exe
"C:\Users\Admin\AppData\Local\Temp\payment_copy3_receipt.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe
  "C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe" C:\Users\Admin\AppData\Local\Temp\acigbevjnk.ssx
  2⤵
  - Executes dropped EXE
  PID:1080

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe

Filesize
122KB

MD5
9b4f91177569b7d97a8b1b8ae8c291d4

SHA1
a8c66d9a3ebdd6ae9a6c79bd55e30bd244fa81a8

SHA256
7dd47d3c356cb014a2e5164adbb9774d943066a9f2cde78fd9bd7b65a0bb83b4

SHA512
261e4cfa04ced36dbec76d4cb1d8a489b1f99c9eb7bf824ccab55b27771e5389e21b338987eeebe5cc87ef772377bd1110b7723c68d759fcf6d5066ebc1e20cb

Download Submit
\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe

Filesize
122KB

MD5
9b4f91177569b7d97a8b1b8ae8c291d4

SHA1
a8c66d9a3ebdd6ae9a6c79bd55e30bd244fa81a8

SHA256
7dd47d3c356cb014a2e5164adbb9774d943066a9f2cde78fd9bd7b65a0bb83b4

SHA512
261e4cfa04ced36dbec76d4cb1d8a489b1f99c9eb7bf824ccab55b27771e5389e21b338987eeebe5cc87ef772377bd1110b7723c68d759fcf6d5066ebc1e20cb

Download Submit
memory/1080-56-0x0000000000000000-mapping.dmp

Download
memory/1284-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download