Overview

overview

7

Static

static

Doc-102PO-...pg.exe

windows7-x64

6

Doc-102PO-...pg.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    339s
  • max time network
    342s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc-102PO-207841001jpg.exe

  • Size

    2MB

  • MD5

    0596aefc251ba32dcb538593b0616568

  • SHA1

    9ceb68e35b93711e8247512c21ad2ccd6b8da938

  • SHA256

    f085f0ece42084f2ce26c28a27ebc9457ae32b2ecd632b3073500b7e17805659

  • SHA512

    da0d4d63ce9ecfc3d892b20f55be6769a5d28a77d9c3b7f4cb22abc51e3be604c102c1e6b7c4d7464dc8dc3f4730b204654c82292ad8899004e90cd7b4a66a5d

  • SSDEEP

    49152:gbB0FQB5MLPlG5/8uMLq0u5hRD5pbjX7i4l8B/oy6kRMF4mK/LPS/yYCxL:g90sW0dRfj7O/oyBqi/TS/yYCxL

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe"
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/release
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\system32\ipconfig.exe
        ipconfig /release
        • Gathers network information
        PID:1092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1096
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/renew
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\system32\ipconfig.exe
        ipconfig /renew
        • Gathers network information
        PID:636
    • C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
      C:\Users\Admin\AppData\Local\Temp\Doc-102PO-207841001jpg.exe
        PID:1544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    00:00 00:00

    Downloads

    • memory/240-58-0x0000000000000000-mapping.dmp
      Download
    • memory/636-68-0x0000000000000000-mapping.dmp
      Download
    • memory/956-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1092-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1096-64-0x00000000024A4000-0x00000000024A7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1096-65-0x00000000024AB000-0x00000000024CA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1096-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1096-61-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1096-62-0x000007FEEC630000-0x000007FEED053000-memory.dmp
      Filesize

      10MB

      Download
    • memory/1096-63-0x000007FEEBAD0000-0x000007FEEC62D000-memory.dmp
      Filesize

      11MB

      Download
    • memory/1096-66-0x00000000024AB000-0x00000000024CA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1516-56-0x0000000002210000-0x00000000022A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1516-54-0x000000013FE00000-0x000000014001A000-memory.dmp
      Filesize

      2MB

      Download
    • memory/1516-57-0x000000001BEF6000-0x000000001BF15000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1516-55-0x000000001B9C0000-0x000000001BBAA000-memory.dmp
      Filesize

      1MB

      Download
    • memory/1516-69-0x000000001B220000-0x000000001B2F2000-memory.dmp
      Filesize

      840KB

      Download
    • memory/1516-78-0x000000001BEF6000-0x000000001BF15000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1544-70-0x0000000140000000-0x0000000140098000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1544-71-0x0000000140000000-0x0000000140098000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1544-73-0x0000000140000000-0x0000000140098000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1544-74-0x0000000140000000-0x0000000140098000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1544-75-0x0000000140000000-mapping.dmp
      Download