37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609

Analysis

max time kernel
2s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 17:53

Target

Shipping docs xlsx.exe
Size

239KB
MD5

61672650363565ad7ce71c5a261a5e7e
SHA1

da70e0ed691217615c57963c58e18de927c13294
SHA256

37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609
SHA512

17b7867c3329a1ccd514cb265622d9bcf8a817d29b49e7c9fd12e49ae905ef09683da32e41ed57054f0451b3fc7f562ad999c59558948659e63cfe17f23fc824
SSDEEP

6144:QBn10ffIoo3VeRy65qQvT1GLwbTWYM89y7rOjPwA:gSR5qubqS96SD

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

lkhgcvox.exe

pid process

1348 lkhgcvox.exe
Loads dropped DLL 2 IoCs

Processes:

Shipping docs xlsx.exe

pid process

1704 Shipping docs xlsx.exe
1704 Shipping docs xlsx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1348	lkhgcvox.exe

pid	process
1704	Shipping docs xlsx.exe
1704	Shipping docs xlsx.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Shipping docs xlsx.exe

description	pid	process	target process
PID 1704 wrote to memory of 1348	1704	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1704 wrote to memory of 1348	1704	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1704 wrote to memory of 1348	1704	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1704 wrote to memory of 1348	1704	Shipping docs xlsx.exe	lkhgcvox.exe

C:\Users\Admin\AppData\Local\Temp\Shipping docs xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping docs xlsx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe
  "C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n
  2⤵
  - Executes dropped EXE
  PID:1348

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
memory/1348-57-0x0000000000000000-mapping.dmp

Download
memory/1704-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download