cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/03/2023, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice#577595955858.pdf.exe
Size

2.0MB
MD5

a687593ca5cf9d3fee446f7925272818
SHA1

d8ec9e79259cb12c088a668afe34c4305f187c61
SHA256

cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
SHA512

55250b2019b4ee49b8eec2b83fa48d178f2395afd97744f806c795f56d26a39d2be03f61af38ebea73cf4e5c066709026ae4073bc95e3e37062cdc90f14a6be9
SSDEEP

49152:PB0m0c8A4WdMLE8Q7P0A4iDruQzwXOhR0kLZFs7+:Z07c8r1E8rA4iDruQzwidi7+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1452	dc crypt.exe
1124	tcqsmsla.exe
892	sokxsghrqu.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	Invoice#577595955858.pdf.exe
1704	Invoice#577595955858.pdf.exe
1704	Invoice#577595955858.pdf.exe
1176	wscript.exe
1928	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cica\\tcqsmsla.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\cica\\ejmvi.xml"	tcqsmsla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	sokxsghrqu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trhg\\SOKXSG~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\trhg\\fwxsq.icm"	sokxsghrqu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	tcqsmsla.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1452	1704	Invoice#577595955858.pdf.exe	27
PID 1704 wrote to memory of 1452	1704	Invoice#577595955858.pdf.exe	27
PID 1704 wrote to memory of 1452	1704	Invoice#577595955858.pdf.exe	27
PID 1704 wrote to memory of 1452	1704	Invoice#577595955858.pdf.exe	27
PID 1704 wrote to memory of 1928	1704	Invoice#577595955858.pdf.exe	28
PID 1704 wrote to memory of 1928	1704	Invoice#577595955858.pdf.exe	28
PID 1704 wrote to memory of 1928	1704	Invoice#577595955858.pdf.exe	28
PID 1704 wrote to memory of 1928	1704	Invoice#577595955858.pdf.exe	28
PID 1452 wrote to memory of 1176	1452	dc crypt.exe	29
PID 1452 wrote to memory of 1176	1452	dc crypt.exe	29
PID 1452 wrote to memory of 1176	1452	dc crypt.exe	29
PID 1452 wrote to memory of 1176	1452	dc crypt.exe	29
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1176 wrote to memory of 1124	1176	wscript.exe	30
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31
PID 1928 wrote to memory of 892	1928	wscript.exe	31

C:\Users\Admin\AppData\Local\Temp\Invoice#577595955858.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice#577595955858.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\temp\trhg\dc crypt.exe
  "C:\Users\Admin\AppData\Local\temp\trhg\dc crypt.exe" ä¼ŠèŽŽè´æ‹‰25ç¾Žåˆ†ç¡¬å¸æ˜¯1893å¹´é“¸é€ çš„ä¸€ç§ç¾Žå›½çºªå¿µå¸ï¼Œç”±è”é‚¦å›½ä¼šåº”èŠåŠ å“¥å“¥ä¼¦å¸ƒçºªå¿µåšè§ˆä¼šå¥³å£«ç»ç†äººè‘£äº‹ä¼šçš„è¯·æ±‚æŽˆæƒå‘è¡Œã€‚
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" Update-tj.v.vbe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\cica\tcqsmsla.exe
      "C:\Users\Admin\AppData\Local\Temp\cica\tcqsmsla.exe" ejmvi.xml
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1124
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-so.i.vbe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\trhg\sokxsghrqu.exe
    "C:\Users\Admin\AppData\Local\Temp\trhg\sokxsghrqu.exe" fwxsq.icm
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\cica\ejmvi.xml

Filesize
116.1MB

MD5
ef3f666a79511e575d4b335fe4aa2489

SHA1
664a9cb92fa93195d5a8fa88f5a1d1dddcfd38c8

SHA256
986c822cc70b61eeadb7ba968e79e5dafd4fa2f16155b61b1a67dde9eb1e8ef9

SHA512
5ff80adf045c7f546a4b90b5c0c29c123873bec7d32a693066ffee1fdc44f5e3da7712c1ac0b95a0d1b0d457b16e33b78376cad86eb9d304d910b7ef5d3f85cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cica\eulno.dll

Filesize
32KB

MD5
e86b6473b90a583bf6ee5c38b7238045

SHA1
e809fb1485345acf096947286a149197c133f433

SHA256
3fb7d5b273faeada616dc638385f28f67886297292919fd6c76c271cd0ea4cb4

SHA512
cf7b33fdccc891ca42c9dd5b8a41fd255ac49f90221f7aafbe03397d29a07f0b05e99eb87066abd75fe710fc001efd6788844dbfaec18151d2ec27d323e553ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\cica\tcqsmsla.exe

Filesize
995KB

MD5
b1487180da402d46e06e1d02ef1340f6

SHA1
83dfd4d9e36951e9bd39bccc4c8a0aa6c8549400

SHA256
5731c376bef6eaac57fff80d13fff95af02a4c2db625bebde6394ab57ef3f4ea

SHA512
86b5f368bad0e8e0a14415c87d0ba15783c2f3ede10402c54875f64b8bb3ee924fbf357841b494fa38cc552e05b9b32a1817e5c0a4e739fb32598395b4200013

Download Submit
C:\Users\Admin\AppData\Local\Temp\cica\tcqsmsla.exe

Filesize
995KB

MD5
b1487180da402d46e06e1d02ef1340f6

SHA1
83dfd4d9e36951e9bd39bccc4c8a0aa6c8549400

SHA256
5731c376bef6eaac57fff80d13fff95af02a4c2db625bebde6394ab57ef3f4ea

SHA512
86b5f368bad0e8e0a14415c87d0ba15783c2f3ede10402c54875f64b8bb3ee924fbf357841b494fa38cc552e05b9b32a1817e5c0a4e739fb32598395b4200013

Download Submit
C:\Users\Admin\AppData\Local\Temp\cica\wfencdsb.ven

Filesize
946KB

MD5
af730bad6f08daed98f057702509532b

SHA1
ac5adc176b47a61c5cadb333c80c9fd8313ac78d

SHA256
4007af43cdd926f8ae085a8b29f5a55d45b26edc3c4600b7868c777c5b97f10e

SHA512
52b491f1afb53283cf78992cfdfd7c628b1187b0467f8bb79743b337a5d85419e8ae35125f1d9d5e669370a5e2c26f41ea9be5e958a2c884fb6d83be29aefba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\bepdbdqah.xml

Filesize
31KB

MD5
695fb78c59d16bd586cfbe22211b8b6c

SHA1
ee501a84cbd984d67bf9ac0ec2531edd87b71687

SHA256
19a4534d572d403d0f45a9f259f887378fc3c98714ff5056fd985a068724b27c

SHA512
794f915c4fce34153c64005ff96e3071df839fc4a0ae9945c71ec8cd0e5cbcab260e9ec2507e1245774b2b32c23843b8ea60f6534490522caab908b3fd57e895

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\bwtu.ucp

Filesize
166KB

MD5
5d7781db353e6558585edddd657be403

SHA1
da7cf48541c6e4165420d5a943cbdf860d0bc779

SHA256
7476fbd0eadbcaf6f13032f376ea0aabaecc9516482e09c51fbf86be7191719d

SHA512
f45c969855a1db2c3993dc96db1bd4ceac3e96f8a8679e841c827329e2cac06a99be264fb7802fb782693b509a2fdca9b86b7fd08dd9bc97cb76a4d88ca649c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\fwxsq.icm

Filesize
85.0MB

MD5
d80c7adcc499c3ae1e1633e8b2421728

SHA1
da3f2a17a78319f29344969b14810562278f33ef

SHA256
faf5a3d9eafda1a8014d32eeb70d714ed32a9bc2a6061d37d9c075dec9ac8ef9

SHA512
05ef24018988e69ea558b37be491a522245132c78babb70f865e00c987427ddf1f3c40b59b627c7a659911ba72fbc2459602fa54b3780617a5f6aea282967a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\sokxsghrqu.exe

Filesize
995KB

MD5
fa25e573dcd18b3c056e5c55f9a61b2c

SHA1
e79c7666327bdf858ce0c50839b48236b65205a5

SHA256
9c6c73bf551611ec32e96d18e0f2e36c8b68ce3840f6e5e5b40cfd3a351ff8fd

SHA512
34ec811f62942c5a0c6d92e903375a6722490ad610a221041bb81e3fa5298a59e03d8006e9c77b8ce9d3cdeb06506dcda70dce080b39aad685cf2268e2432204

Download Submit
C:\Users\Admin\AppData\Local\Temp\trhg\sokxsghrqu.exe

Filesize
995KB

MD5
fa25e573dcd18b3c056e5c55f9a61b2c

SHA1
e79c7666327bdf858ce0c50839b48236b65205a5

SHA256
9c6c73bf551611ec32e96d18e0f2e36c8b68ce3840f6e5e5b40cfd3a351ff8fd

SHA512
34ec811f62942c5a0c6d92e903375a6722490ad610a221041bb81e3fa5298a59e03d8006e9c77b8ce9d3cdeb06506dcda70dce080b39aad685cf2268e2432204

Download Submit
C:\Users\Admin\AppData\Local\temp\cica\Update-tj.v.vbe

Filesize
49KB

MD5
be8316099e11ffbfcf93b32cd7c380b2

SHA1
1949e8324e26ec49532ba5f03adee3b3913c69ee

SHA256
6107f65051ce604f5d37817fc4bc3b27211203f46b2c866580018a2e0eaa1a43

SHA512
bcc2c94aa572867159e2c70830d2dd1540216e3d0eebd027b9af7a7148a5555dbad225138dfaa8365756a26a0d9648206eab3f2ede34bcd5ad266474bef49d41

Download Submit
C:\Users\Admin\AppData\Local\temp\trhg\Update-so.i.vbe

Filesize
77KB

MD5
5ed190801877967155ccf83aeb00795d

SHA1
7dd2de6b605a97c17d9d0e74e18602cfb67d9d4b

SHA256
6e4349189d6dae37815b94457f71998216090789574d898a46acc34196c9c20c

SHA512
740bfc09695f3f731d521ef32c5cbee731197c7341896d540c6eb60765e33128007cd95612a9e47dcf651e3794edfb68235ac5c4456ad7a9e8d883574a5af3cb

Download Submit
C:\Users\Admin\AppData\Local\temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
\Users\Admin\AppData\Local\Temp\cica\tcqsmsla.exe

Filesize
995KB

MD5
b1487180da402d46e06e1d02ef1340f6

SHA1
83dfd4d9e36951e9bd39bccc4c8a0aa6c8549400

SHA256
5731c376bef6eaac57fff80d13fff95af02a4c2db625bebde6394ab57ef3f4ea

SHA512
86b5f368bad0e8e0a14415c87d0ba15783c2f3ede10402c54875f64b8bb3ee924fbf357841b494fa38cc552e05b9b32a1817e5c0a4e739fb32598395b4200013

Download Submit
\Users\Admin\AppData\Local\Temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
\Users\Admin\AppData\Local\Temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
\Users\Admin\AppData\Local\Temp\trhg\dc crypt.exe

Filesize
1.2MB

MD5
cf265d67b5354040f3389f142f2b05d6

SHA1
f339f7232465aa6aad2d9dd5388e29c9c6ed4cc9

SHA256
b778a6cae48d031fc25f8fde9fed1bc570157c6f63d38c69fff82eaa51badb08

SHA512
54ee16677bb83f13d7171104a10f16202b9affd614a6cc767fdfd421ba9b04176b7335555150d7a7c1a846d22181549f6027781b062b2512378d02a169b9cdb7

Download Submit
\Users\Admin\AppData\Local\Temp\trhg\sokxsghrqu.exe

Filesize
995KB

MD5
fa25e573dcd18b3c056e5c55f9a61b2c

SHA1
e79c7666327bdf858ce0c50839b48236b65205a5

SHA256
9c6c73bf551611ec32e96d18e0f2e36c8b68ce3840f6e5e5b40cfd3a351ff8fd

SHA512
34ec811f62942c5a0c6d92e903375a6722490ad610a221041bb81e3fa5298a59e03d8006e9c77b8ce9d3cdeb06506dcda70dce080b39aad685cf2268e2432204

Download Submit