95a3af664619ad3299c451425b234fe76559f3c18e7ce5de3dd4638a5b1dbc63

Analysis

max time kernel
214s
max time network
133s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
Size

297.0MB
MD5

474f7016aef0aea19fc3b6d58cdb4aa4
SHA1

8815b1239cc8ebbdf51f20ef3be67bac6efc253d
SHA256

ac9f497b30b2303beb2f9bdea927175b8832f2fce9607fa4f6b4e7fcc26d4470
SHA512

a98bf7e573caf330f78f5b7ae6f63d74ed426893040c17de5a39cb7c2b37f0a78430f16de2925db4989d68e4ebf1657b6edeeb35926d2469412ebbff1464e719
SSDEEP

98304:se5cjwqxRWOnO9waPi9xqTetpjIhnbq3etZY1OL:secdVnMK9LdINeue

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	AmdHostDevicerjDrivingySuply.exe

Loads dropped DLL 1 IoCs

pid	Process
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	AmdHostDevicerjDrivingySuply.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMDRadeonHostApplication196S7 = "C:\\ProgramData\\AmdHostDeviceqDriv\\AmdHostDevicerjDrivingySuply.exe"	AmdHostDevicerjDrivingySuply.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMDRadeonHostApplicationN0F9N = "cmd.exe /c start C:\\ProgramData\\AmdHostDeviceqDriv\\AmdHostDevicerjDrivingySuply.exe"	AmdHostDevicerjDrivingySuply.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1732	AmdHostDevicerjDrivingySuply.exe
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe
Token: 33	1732	AmdHostDevicerjDrivingySuply.exe
Token: SeIncBasePriorityPrivilege	1732	AmdHostDevicerjDrivingySuply.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
1732	AmdHostDevicerjDrivingySuply.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1732	1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe	28
PID 1376 wrote to memory of 1732	1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe	28
PID 1376 wrote to memory of 1732	1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe	28
PID 1376 wrote to memory of 1732	1376	PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe	28

C:\Users\Admin\AppData\Local\Temp\PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe
"C:\Users\Admin\AppData\Local\Temp\PDF_Archivo_DocumtQVREOIOIZEADFAOuxlgi.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe
  "C:\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe

Filesize
352.8MB

MD5
5792c09adb20b9aa8327ed4a3cddc9db

SHA1
9c287bb923dbbfae04b65a5c0c0a46e7b815274b

SHA256
d2e88845dc8f2a49266d9c70c0a7b8192c000b4f8d186bf4c906c38e537c37bd

SHA512
00a702ebe78f496fd67ca327a9f6818249608faad022ac3dee12462f41cd831db8846a4502a75b4b996bc5a6c23c029c128b1751af92953eb38b2805cf4dd117

Download Submit
C:\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe

Filesize
340.7MB

MD5
cfb4b6eff680a59c71ed58b972ae8470

SHA1
20b270ddf41b6c0700017805e2e17ab239efda98

SHA256
e5fd98fa9c350752734cd9d9783f5f8668431a7bb7ef4b0b3427336bed2cb503

SHA512
f6b17a546c1e6c28455122179f1a46681c4f9c5b3b54f388a9ad4023c399070078529a7550ae536e259255c971795f645f57909747a270273fd5db7b3ba8c65d

Download Submit
C:\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe

Filesize
333.1MB

MD5
dfe1a11e2a3f9fa8905e16f3c5c96030

SHA1
ff382ebeeda2ef0580655ad9de0ea75fa75be980

SHA256
4927e3e88cc40dc1c26d2bf21f05549335395007fa8917859ec68660f09fcb06

SHA512
5679614d7157e759aa19c106c68fabd127340591a37a2a47bef5917a8f0ff43213fd182381657b4d5cd67bd2d6de023ead85c859b3a1aad956f86362807a29c6

Download Submit
C:\ProgramData\AmdHostDeviceqDriv\NzqUbfgQrivprewQevivatlFhcyl.cfg

Filesize
420B

MD5
20bcdba3db94fa361e8d88aaa43f2a6d

SHA1
1ac0cf5efd7e18c9f3bebe7e5e891cff4cda5d40

SHA256
d36afb61fb1c7842f8a01762a879ada1d196a6763534d8c37533bfa4a085c903

SHA512
2ec63ab245ec2fd2e5da7a2c9422adb35e9d47ab4d228a027682920b5f040e5671497fb7446338670aba56500bc8effa6a0e41910b18e90837a80a34ce538544

Download Submit
C:\ProgramData\AmdHostDeviceqDriv\NzqUbfgQrivprewQevivatlFhcyl.cfg

Filesize
300B

MD5
686e30c283be8d15175d46706d2891fc

SHA1
ccd132ea0121e364dfc90d9946b3f067fa105940

SHA256
438044d34eb4a1417cc6fb30a5e188035d445b1a15e328c547af6569a64b40a5

SHA512
a1278233e815664dc6243342cc23f04c51fb5e44554d195e5fd13a08e50fd5168545e7ac04cec5ae8349dfdd9759747fb6cc777ce8084d2c7b9a1b1423a0621d

Download Submit
\ProgramData\AmdHostDeviceqDriv\AmdHostDevicerjDrivingySuply.exe

Filesize
338.7MB

MD5
824e64f2fe9133cf5d28b06d796c444a

SHA1
0cb7822b6d3ce6e269ca41479b598c3921d3f291

SHA256
96b4d649481742b94b6a270941bce6ad8f3e77ec8eed68e98fc4d6f2cb5b1be9

SHA512
047f1a8ce625bad9781a03928390d3cdef79a3f9afa636e16e51201854ce4c4c3d1f044ea424f5a518ab30c3c589096304004f31656046f07e19a807673efce9

Download Submit
memory/1376-62-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-55-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-72-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-63-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1376-61-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-60-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-122-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-59-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-113-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1376-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1732-107-0x00000000261A0000-0x00000000261A1000-memory.dmp

Filesize
4KB

Download
memory/1732-118-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1732-79-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download