f1d9c87c7e97db85d31c56b62f33ae71a2869281cf054a1b4f1ce0d891e84f44

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-01-2023 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

photo_88093849384983430493483984390-094.exe
Size

550KB
MD5

b7af9364e54e733684f2b5ef4bdd550a
SHA1

0b4a2b89d5373e6e13395753786154e90e803387
SHA256

37e06231dbbfd682fed877eece815fc8f383f05396495468805d75c94a802e6e
SHA512

15aafec28acb2862168ee073bd7dc7ea766463e677399f2d6da200f7db9a342c4e8db6f9237e12174fa4c99acf3d3279f686bb11e8a12adc53072492ef828c48
SSDEEP

6144:7nx1IH1z1RRu8HAx08JgSRxEguHjseJ1Rb/:shvRu8g3dbEjHjselb/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

_gpj.Scr

pid process

1616 _gpj.Scr
Loads dropped DLL 1 IoCs

Processes:

photo_88093849384983430493483984390-094.exe

pid process

1220 photo_88093849384983430493483984390-094.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

_gpj.Scr

description pid process

Token: SeDebugPrivilege 1616 _gpj.Scr
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1680 DllHost.exe

pid	process
1616	_gpj.Scr

pid	process
1220	photo_88093849384983430493483984390-094.exe

description	pid	process
Token: SeDebugPrivilege	1616	_gpj.Scr

pid	process
1680	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

photo_88093849384983430493483984390-094.exe

description	pid	process	target process
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr
PID 1220 wrote to memory of 1616	1220	photo_88093849384983430493483984390-094.exe	_gpj.Scr

C:\Users\Admin\AppData\Local\Temp\photo_88093849384983430493483984390-094.exe
"C:\Users\Admin\AppData\Local\Temp\photo_88093849384983430493483984390-094.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\_gpj.Scr
"C:\Users\Admin\AppData\Local\Temp\_gpj.Scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_gpj.Scr
Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gpj.Scr
Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo_2023-01-03_13-28-2243422343434.jpg
Filesize
62KB

MD5
fcdecb12b2ed8e155c907e4c859b8a6c

SHA1
3b2c3d28a9fff01ac0a06687d1754e9bd4b8959b

SHA256
f2a763febed5e90674696122977187ed1b08a428d5ba972ad963c535cce9189e

SHA512
9b312ac4e51497eb17f12b26f1e4598459cbfeeb5298e0c4086b6d209ef02739709d39d2b5f0577afa2baaa450cc19089776643abaee450bb1da52aee3a5bda1

Download Submit
\Users\Admin\AppData\Local\Temp\_gpj.Scr
Filesize
350.0MB

MD5
d53d10043ba87eeed33d98d04e3d7520

SHA1
d18c487cca17fbe2b58530bedd7d5fa0665c4def

SHA256
1300c6ff5d21a761a13fec4954a2c86cc64ae07d510c9cf53af377a61597da9a

SHA512
359673bbe112456621eae9068ec6dabf346609eab68356bfa06a93192a31404bef3e0f86dd1296929d5d5e59bb8bb93dda4c19747697ed9b4dc6f0791f5dec3b

Download Submit
memory/1220-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1616-57-0x0000000000000000-mapping.dmp

Download
memory/1616-60-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download