1c10a7cf57b58de1cb5d0a6e1369a2cf5dd74fc1593c45b991dde7605ff01486

General

Target

feedback_form.exe
Size

1.9MB
MD5

5431a710d8a0c6bc319125ea7c40efd1
SHA1

ae52c3ea465ced7137948a7be6630231affb94a0
SHA256

1c10a7cf57b58de1cb5d0a6e1369a2cf5dd74fc1593c45b991dde7605ff01486
SHA512

80910c4f85f680877cf59a5ceaea703a459636dd9e473febff1d35c3c0dc5405099ce604b0a9b98847b78b0b7b550b007fdb19a2ed7ab08f9587fdb30724d727

Score

7^/10

ransomware

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protogent.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Protogent.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3948	740	feedback_form.exe	76
PID 740 wrote to memory of 3948	740	feedback_form.exe	76
PID 740 wrote to memory of 3948	740	feedback_form.exe	76
PID 740 wrote to memory of 192	740	feedback_form.exe	77
PID 740 wrote to memory of 192	740	feedback_form.exe	77
PID 740 wrote to memory of 192	740	feedback_form.exe	77
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78
PID 740 wrote to memory of 204	740	feedback_form.exe	78

C:\Users\Admin\AppData\Local\Temp\feedback_form.exe
"C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
  2⤵
  PID:3948
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
  2⤵
  PID:192
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\feedback_form.exe"
  2⤵
  PID:204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2912

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/740-2-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/740-3-0x00000000025A0000-0x000000000261B000-memory.dmp

Filesize
492KB

Download
memory/740-9-0x0000000002AA0000-0x0000000002C2E000-memory.dmp

Filesize
1.6MB

Download