fa8f0c50ab3d1ed1aa504d2d281b4805d4e26a440446e791f49eea40000c4a34

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e37a23dd5f0c538e21b93d88c91d58.exe
Size

17KB
MD5

09e37a23dd5f0c538e21b93d88c91d58
SHA1

6f26b5fc312b5cbeb801902345193fa173bac146
SHA256

fa8f0c50ab3d1ed1aa504d2d281b4805d4e26a440446e791f49eea40000c4a34
SHA512

691dd7a77094d12e36fc303e2de9ac779bcb833ce0ac64427fcf82764b0501c8a35b9b96e8be3846612a0d80fbdf9907cb78b871a638acf8874e3970229b54fa
SSDEEP

192:u+ofuFL1iFkHGPy2gXxmavWHKpYKR0UtH2anpMBoYht4f91B:u+UuN1kg7x9WHkYK5t24ptt7B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1248	pdfupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	09e37a23dd5f0c538e21b93d88c91d58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28
PID 2164 wrote to memory of 1248	2164	09e37a23dd5f0c538e21b93d88c91d58.exe	28

C:\Users\Admin\AppData\Local\Temp\09e37a23dd5f0c538e21b93d88c91d58.exe
"C:\Users\Admin\AppData\Local\Temp\09e37a23dd5f0c538e21b93d88c91d58.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe

Filesize
7KB

MD5
7f286c27e81c7464030ac4d1d13be658

SHA1
498f3d6669f5eacb11ff00710666ef84b9c182a6

SHA256
7dedd5e52a6c2a85ddc274fe1907efcb2df78eb5e63a53c6185f089849835266

SHA512
21b8f3f95647d561899302d004e18a88302b20874eae3b1ee2dbb539fbe97a8de67efb27944d10bc28f492f633af69ec7a08676ab062414ef210188b75ef9c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfupdate.exe

Filesize
15KB

MD5
48b42edff92580041aac771c6eaeafe7

SHA1
866cb7d591a9fd8cd81b62aa6c617c1e378e38a5

SHA256
9d6ab2a0712191351a7db49e43da367fff0a038e1bc81a49500db4525c455db3

SHA512
ebf5f3031380053f5f94691a4b799d382311a7995886459514196068e0239e6ca1cbf75f00a01fc0c527e94f8f27bc97e0468a21fb446563f6fb3c9e460c8a51

Download Submit
\Users\Admin\AppData\Local\Temp\pdfupdate.exe

Filesize
17KB

MD5
c64cf326312d8cb69c8ef071381f998d

SHA1
2629d1a3bae6707d319721e7c6bc2701b2fca999

SHA256
44a709a4f3079b828fc2a76f175240827e3e2efb6f9a91902f957db16e74ecc8

SHA512
157beaa8ecf8fba0cdead0b890cd85cc727ecb1167e235da28a93236fa05d20f6de58fa85829d5cdfeea92f18b44283613ad607dfd6f9e0278c68da4902dd7b8

Download Submit
memory/1248-8-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2164-1-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download