97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d

General

Target

PO_Scan Document.exe
Size

433KB
MD5

e3f21a7a4a879db45f6e3feeb8d43c5e
SHA1

2d198951d904596d300933714f24acdcc796fe77
SHA256

97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d
SHA512

5db796f7fe1574646c3de6cabf022eca4db30155f9120c37f73e92e485c5b09e4664bb8a254332474c35a0c4ea3d5ff9ed5f8a74fdea0f3ed4b420c9a0d77288
SSDEEP

6144:vYa6T3YS/vfoY2wXVVfY5Pv8wsD9QkiF2VIBn1AyxhOiMshL3Qlk1OkoyoV3OCcn:vY5XswlVfmPs+ktIB1T7vhhn4Fr+CYt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	tjhnnq.exe
2636	tjhnnq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 2636	1444	tjhnnq.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	tjhnnq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1444	tjhnnq.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2636	tjhnnq.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 1444	4380	PO_Scan Document.exe	84
PID 4380 wrote to memory of 1444	4380	PO_Scan Document.exe	84
PID 4380 wrote to memory of 1444	4380	PO_Scan Document.exe	84
PID 1444 wrote to memory of 2636	1444	tjhnnq.exe	85
PID 1444 wrote to memory of 2636	1444	tjhnnq.exe	85
PID 1444 wrote to memory of 2636	1444	tjhnnq.exe	85
PID 1444 wrote to memory of 2636	1444	tjhnnq.exe	85

C:\Users\Admin\AppData\Local\Temp\PO_Scan Document.exe
"C:\Users\Admin\AppData\Local\Temp\PO_Scan Document.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe
  "C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe" C:\Users\Admin\AppData\Local\Temp\iezebs.zxo
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe
    "C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iezebs.zxo

Filesize
5KB

MD5
83e5ccb6cd81eebfa8e66bad63bcde94

SHA1
a26c811d29ae9828cae8b834b41475064b5a709a

SHA256
b6694d8973b3e7ce6743b757523597ac6cc1a7b30c56e8ddc2ca8a8731d11caf

SHA512
c477699ff8e7fbbe3aed887dd344eb7a8e961dc65822a82b090125d0ae6382bf229596afd4380f015d907964e3f850dcb5f2f5cf3e237486ec1c5beb519b7672

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxcajaiefw.uum

Filesize
496KB

MD5
30dba8ef430fe7c6ec4657cfceca7bf9

SHA1
a7cb1ff28fc58340f1388df0b9da3db9572b5404

SHA256
2c412d7854e6d58f9eb59887b8b7106f3df63a892372298f41eec4bed094f43c

SHA512
b3ba18fc592760697777a0eb00247600435f80fb2981c640d13c9ba0aca184470a198c4c1a13c4e093f34691c9dabef0f231a31d1b838b4046f30b1ef11d9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjhnnq.exe

Filesize
34KB

MD5
2734f85c7824ff0cc4174e3420fd13be

SHA1
655439976de7158592eb74a030b2542219231390

SHA256
6078aaec77239e228fc1bdb7b5c15e4ebd78b03c8905fe2b9aee2b9edac52247

SHA512
66d3a53b5f1a10e1dae36f95b067553496a7437bac0f5eba34574d43cd2052c8b54a01c4c840a77ab3049a9ed45dea095e0e93e045a3eab4bd16e9c0230f01ec

Download Submit
memory/1444-140-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download
memory/2636-153-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-156-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-149-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-150-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-151-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-152-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-154-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-155-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-146-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-157-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-158-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-159-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-160-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-162-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-163-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2636-164-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing