97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d

Analysis

max time kernel
143s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/04/2023, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_Scan Document.exe
Size

433KB
MD5

e3f21a7a4a879db45f6e3feeb8d43c5e
SHA1

2d198951d904596d300933714f24acdcc796fe77
SHA256

97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d
SHA512

5db796f7fe1574646c3de6cabf022eca4db30155f9120c37f73e92e485c5b09e4664bb8a254332474c35a0c4ea3d5ff9ed5f8a74fdea0f3ed4b420c9a0d77288
SSDEEP

6144:vYa6T3YS/vfoY2wXVVfY5Pv8wsD9QkiF2VIBn1AyxhOiMshL3Qlk1OkoyoV3OCcn:vY5XswlVfmPs+ktIB1T7vhhn4Fr+CYt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	tjhnnq.exe
980	tjhnnq.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	PO_Scan Document.exe
2000	PO_Scan Document.exe
1964	tjhnnq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 980	1964	tjhnnq.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
980	tjhnnq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1964	tjhnnq.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
980	tjhnnq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1964	2000	PO_Scan Document.exe	28
PID 2000 wrote to memory of 1964	2000	PO_Scan Document.exe	28
PID 2000 wrote to memory of 1964	2000	PO_Scan Document.exe	28
PID 2000 wrote to memory of 1964	2000	PO_Scan Document.exe	28
PID 1964 wrote to memory of 980	1964	tjhnnq.exe	29
PID 1964 wrote to memory of 980	1964	tjhnnq.exe	29
PID 1964 wrote to memory of 980	1964	tjhnnq.exe	29
PID 1964 wrote to memory of 980	1964	tjhnnq.exe	29
PID 1964 wrote to memory of 980	1964	tjhnnq.exe	29

C:\Users\Admin\AppData\Local\Temp\PO_Scan Document.exe
"C:\Users\Admin\AppData\Local\Temp\PO_Scan Document.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe
  "C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe" C:\Users\Admin\AppData\Local\Temp\iezebs.zxo
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe
    "C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iezebs.zxo

Filesize
5KB

MD5
83e5ccb6cd81eebfa8e66bad63bcde94

SHA1
a26c811d29ae9828cae8b834b41475064b5a709a

SHA256
b6694d8973b3e7ce6743b757523597ac6cc1a7b30c56e8ddc2ca8a8731d11caf

SHA512
c477699ff8e7fbbe3aed887dd344eb7a8e961dc65822a82b090125d0ae6382bf229596afd4380f015d907964e3f850dcb5f2f5cf3e237486ec1c5beb519b7672

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxcajaiefw.uum

Filesize
496KB

MD5
30dba8ef430fe7c6ec4657cfceca7bf9

SHA1
a7cb1ff28fc58340f1388df0b9da3db9572b5404

SHA256
2c412d7854e6d58f9eb59887b8b7106f3df63a892372298f41eec4bed094f43c

SHA512
b3ba18fc592760697777a0eb00247600435f80fb2981c640d13c9ba0aca184470a198c4c1a13c4e093f34691c9dabef0f231a31d1b838b4046f30b1ef11d9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
memory/980-78-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-86-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-76-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-77-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-91-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-79-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-80-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-81-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-83-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-84-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-85-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-69-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-87-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-88-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-89-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/980-90-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1964-66-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download