0bda29c1168f11ab1a4f920dfdbe41708ef9766aa498ec78a32bd03e58c8419a

Analysis

max time kernel
89s
max time network
92s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My2021-22-W2-1040-1099-R.PDF.vbs
Size

2.0MB
MD5

679125286a8552fc36b9cbb2fafae268
SHA1

4b2e7be52f7219389b367df7feb608351adfb270
SHA256

0bda29c1168f11ab1a4f920dfdbe41708ef9766aa498ec78a32bd03e58c8419a
SHA512

18e6638993bb796776752fc558b04d662731f6d8594d186ce6af77451ab9b83cec815df323d122894c58b6a9721e173b6f11593ca0ea5f797153adf58bcdf6be
SSDEEP

24576:+8o61WnM8/07gQVyPXo7lCI+aSf7Wf0us3AtxqPZyDy3vgJxhgW:eswPXoBAx+4ALfN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DAVe.exepython.exe

pid process

1360 DAVe.exe
1932 python.exe
Loads dropped DLL 1 IoCs

Processes:

python.exe

pid process

1932 python.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1360	DAVe.exe
1932	python.exe

pid	process
1932	python.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1888 wrote to memory of 1360	1888	WScript.exe	DAVe.exe
PID 1888 wrote to memory of 1360	1888	WScript.exe	DAVe.exe
PID 1888 wrote to memory of 1360	1888	WScript.exe	DAVe.exe
PID 1888 wrote to memory of 1360	1888	WScript.exe	DAVe.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\My2021-22-W2-1040-1099-R.PDF.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\DAVe.exe
"C:\Users\Admin\AppData\Local\Temp\DAVe.exe"
2⤵
- Executes dropped EXE
PID:1360

C:\Users\Admin\AppData\Roaming\63225c08\python.exe
"C:\Users\Admin\AppData\Roaming\63225c08\python.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAVe.exe
Filesize
1.4MB

MD5
5c31d8633ec3bc687b839d5a6ed60302

SHA1
36f51595002d616ea3ef9b58fc73692a84e93cc3

SHA256
1c01002517d40ea72de95919ad0d77fc877004037ea5fefe4fb111205694290e

SHA512
5bcc4d4e70fd8a3db11a7f78d95c26755bb80f488d65faa56342f09f5e891572febc8ab58858aaf868c0f78b0de18cdb0371aef2244255e9ab90ee28fb841a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAEDD.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\63225c08\python.exe
Filesize
93KB

MD5
1f6ce27a40898ef68562d9c5eab4d2ab

SHA1
639bc5f89e669eda21d7f537cb4caaa4218d037d

SHA256
ea80f95fb9accd5059c0734b1f4bcc56aa07fd939376d4a13b733252ac26338e

SHA512
d9eff898270da89b5f5368bed6b260f55a8adf7fa4f490d653df30e1047100ab75ac50a32ce92bd53f3a2cbdf0d7ce3f2ccc67c278d51b2ae11836eb55a4d9ca

Download Submit
C:\Users\Admin\AppData\Roaming\63225c08\python39.dll
Filesize
4.2MB

MD5
ccc097e6b96ee1312fd55df2f313b5cc

SHA1
5db6f085bf0929a19ff190058e709b0f331f34d8

SHA256
77f2b7cc4b94e68988cc9628e75b39e5108e5dc418dd6447acbfb867877aea57

SHA512
6113864246bb2f5a07fb73a58313f111356bac896bdafa530486045d92d2909bd21d5e14a7d02e7288a7309036ca7125300b381048e7302f7c9cf975c1cf2f7f

Download Submit
\Users\Admin\AppData\Roaming\63225c08\python39.dll
Filesize
4.2MB

MD5
ccc097e6b96ee1312fd55df2f313b5cc

SHA1
5db6f085bf0929a19ff190058e709b0f331f34d8

SHA256
77f2b7cc4b94e68988cc9628e75b39e5108e5dc418dd6447acbfb867877aea57

SHA512
6113864246bb2f5a07fb73a58313f111356bac896bdafa530486045d92d2909bd21d5e14a7d02e7288a7309036ca7125300b381048e7302f7c9cf975c1cf2f7f

Download Submit