498657673492910709e321035e4fabe392e1a297e2ae2653fcb5464279d47de0

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/02/2023, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan Pagamento 262023 pdf.exe
Size

365KB
MD5

bc0b06402e7d1c9137ddc147b44bb3f1
SHA1

98e045b8c32bf6df991dfaddf4f03298acab0b08
SHA256

498657673492910709e321035e4fabe392e1a297e2ae2653fcb5464279d47de0
SHA512

f59df21f5e92286c1e1d435415c0a5b555a233978dcbc66efdf3459e9f6a7f93219bb4772b81525c2602473490ddda81810ffc47314290856dd18f3d4dcda730
SSDEEP

6144:/Ya6C1CzTInAGQFHLe1ql1SVyH1yPUwYQqOpm2307iTFNotGEr3L:/Yc1CzTQAGs6S1gC1yPUwlg230mTFNwf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1072	qzggr.exe
940	qzggr.exe

Loads dropped DLL 5 IoCs

pid	Process
752	Scan Pagamento 262023 pdf.exe
1072	qzggr.exe
820	WerFault.exe
820	WerFault.exe
820	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 940	1072	qzggr.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
820	940	WerFault.exe	28

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1072	qzggr.exe
1072	qzggr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1072	752	Scan Pagamento 262023 pdf.exe	27
PID 752 wrote to memory of 1072	752	Scan Pagamento 262023 pdf.exe	27
PID 752 wrote to memory of 1072	752	Scan Pagamento 262023 pdf.exe	27
PID 752 wrote to memory of 1072	752	Scan Pagamento 262023 pdf.exe	27
PID 1072 wrote to memory of 940	1072	qzggr.exe	28
PID 1072 wrote to memory of 940	1072	qzggr.exe	28
PID 1072 wrote to memory of 940	1072	qzggr.exe	28
PID 1072 wrote to memory of 940	1072	qzggr.exe	28
PID 1072 wrote to memory of 940	1072	qzggr.exe	28
PID 940 wrote to memory of 820	940	qzggr.exe	29
PID 940 wrote to memory of 820	940	qzggr.exe	29
PID 940 wrote to memory of 820	940	qzggr.exe	29
PID 940 wrote to memory of 820	940	qzggr.exe	29

C:\Users\Admin\AppData\Local\Temp\Scan Pagamento 262023 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Scan Pagamento 262023 pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\qzggr.exe
  "C:\Users\Admin\AppData\Local\Temp\qzggr.exe" C:\Users\Admin\AppData\Local\Temp\vrkajusb.f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\qzggr.exe
    "C:\Users\Admin\AppData\Local\Temp\qzggr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hbxhxppk.gcg

Filesize
205KB

MD5
0673fd0429589c093abcdf172f69f096

SHA1
ce5c989c1ff34316f837628b7ab3f671d755918b

SHA256
a455a81c7cfde0c60158d1f2c810633ffa8e6771fdf4f7fda75978630070a18c

SHA512
0fb712b6a0059ddc0a5332a8fd45d8a75dd638303321a4f56850a79c92007e1a22c78fd988cb357148219cbe80c4555543b7e555a27a42b2890088ef3200ed0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkajusb.f

Filesize
5KB

MD5
60206627e23f12fdeb3d4da96ecf9e8c

SHA1
cecd003a725d48faa1bdea2a790c9861353f055e

SHA256
ef2a87e8c4f7b0799d14b82f2e88392782e5ad145cd0aaf55f6b6bb2c0b86909

SHA512
3a88ab5017c59c45d0aff0c2536d45eb4c66ba28a025da53da00c1fa37a16d22fd4082c66195632d6ebdd3a01592693269ae4f836a694d6adc16a36405ceb8c1

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
\Users\Admin\AppData\Local\Temp\qzggr.exe

Filesize
361KB

MD5
a8b8a64da5b2dfaf37977d40e2c62614

SHA1
c848534d03fff2404d60404081bc76c0c2f20d48

SHA256
f4d80b7975633638b1842a4d5c4beede6d77e6a16633411eccfdb06dba47e510

SHA512
077fe16bafd6e100238328096184147306936982cbfef8d97fcc1460f41974a92389bd14c0e1a1761484cc466a9a16296f9ccc25222a666362ad83b5ccf5196a

Download Submit
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download