78b75b6b9d255c96267433936c42e3a66cfe733280483ba5658598cb021786da

Analysis

Target

0900900.exe
Size

189KB
MD5

82720319030a519bddb77537babc8393
SHA1

e42d6c950690189fb24235336f31d7cbcfc65408
SHA256

1048c4ebb7be3641037e402bfcc4e8aa667fc49dc82b9690b96b5ea69dd11e50
SHA512

bbb334f7bd378e18b6091b7c17899792c10ff969eab0eddde190b3c02e72fa89b17ab81d020abee6ffbfcca9eedcd1773e776e2c08f9744aad65139921326793

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

0900900.exe

pid process

808 0900900.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0900900.exe

description pid process target process

PID 808 set thread context of 68 808 0900900.exe 0900900.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0900900.exe

pid process

808 0900900.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0900900.exe

pid process

68 0900900.exe

pid	process
808	0900900.exe

description	pid	process	target process
PID 808 set thread context of 68	808	0900900.exe	0900900.exe

pid	process
808	0900900.exe

pid	process
68	0900900.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0900900.exe

description	pid	process	target process
PID 808 wrote to memory of 68	808	0900900.exe	0900900.exe
PID 808 wrote to memory of 68	808	0900900.exe	0900900.exe
PID 808 wrote to memory of 68	808	0900900.exe	0900900.exe
PID 808 wrote to memory of 68	808	0900900.exe	0900900.exe

C:\Users\Admin\AppData\Local\Temp\0900900.exe
"C:\Users\Admin\AppData\Local\Temp\0900900.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:68

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

\Users\Admin\AppData\Local\Temp\nsi73E0.tmp\an1r6lh9q.dll
MD5
875e8216f1a1730eddd41d96d7552c9e

SHA1
f696d42e8f5a06c8ab6faa4fdabd9941ce90f14c

SHA256
1cd1be5bc0ff2da276b8da77dccdf07308771ba66cda97b05d062d8da0e72cf1

SHA512
afa9a2a4b3c0951f02ce14ac93821e642e0e243f64a59d82ffbabe758a1974a9b901925f2d9db65a0fe132eef2e5974cf21eac7da17a0f1261c00857bc8800ec

Download Submit
memory/68-117-0x00000000004172EC-mapping.dmp

Download
memory/68-118-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/808-115-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/808-116-0x0000000002AF1000-0x0000000002AF6000-memory.dmp

Filesize
20KB

Download