f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

[email protected]
Size

1.2MB
MD5

910dd666c83efd3496f21f9f211cdc1f
SHA1

77cd736ee1697beda0ac65da24455ec566ba7440
SHA256

06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
SHA512

467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3516	avpc2009.exe

Loads dropped DLL 3 IoCs

pid	Process
3516	avpc2009.exe
3516	avpc2009.exe
3516	avpc2009.exe

JavaScript code in executable 2 IoCs

resource	yara_rule
behavioral3/files/0x000100000001abfc-4.dat	js
behavioral3/files/0x000100000001abfc-3.dat	js

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll	[email protected]
File opened for modification	C:\Program Files (x86)\antiviruspc2009\bzip2.dll	[email protected]
File opened for modification	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe	[email protected]
File opened for modification	C:\Program Files (x86)\antiviruspc2009	[email protected]
File created	C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_259299687	[email protected]
File created	C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll	[email protected]
File opened for modification	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll	[email protected]
File created	C:\Program Files (x86)\antiviruspc2009\bzip2.dll	[email protected]
File created	C:\Program Files (x86)\antiviruspc2009\avpc2009.exe	[email protected]
File created	C:\Program Files (x86)\antiviruspc2009\libltdl3.dll	[email protected]

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3516	avpc2009.exe
3516	avpc2009.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3516	avpc2009.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3516	avpc2009.exe
3516	avpc2009.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3516	1096	[email protected]	76
PID 1096 wrote to memory of 3516	1096	[email protected]	76
PID 1096 wrote to memory of 3516	1096	[email protected]	76

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
  "C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads