b49f6533c67e19cfc446f4c8cbfabac3e8009fe8e31f9ca6ba4a38c3869b3823

Analysis

Target

FA0900009000.exe
Size

415KB
MD5

f5bbc275c2fe8892a7173cec02b48344
SHA1

fb2bb2d7b845e442418f451dca20a1ca4fc45c5b
SHA256

3bc2abc2f4f8e56df7dcc64602b053f62ade2953d76b6020a21c252cc86a41db
SHA512

ce518ef7add1718ee63d0b7229f9a34a40a8060a21800de5191e5a0ecbbb1b88e6c35fcd795f42c54f9467b546873301470060c5a117bff10dd8fff7e664ff87

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

FA0900009000.exe

pid process

668 FA0900009000.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

FA0900009000.exe

description pid process target process

PID 668 set thread context of 3048 668 FA0900009000.exe FA0900009000.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

FA0900009000.exe

pid process

668 FA0900009000.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FA0900009000.exe

pid process

3048 FA0900009000.exe

pid	process
668	FA0900009000.exe

description	pid	process	target process
PID 668 set thread context of 3048	668	FA0900009000.exe	FA0900009000.exe

pid	process
668	FA0900009000.exe

pid	process
3048	FA0900009000.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

FA0900009000.exe

description	pid	process	target process
PID 668 wrote to memory of 3048	668	FA0900009000.exe	FA0900009000.exe
PID 668 wrote to memory of 3048	668	FA0900009000.exe	FA0900009000.exe
PID 668 wrote to memory of 3048	668	FA0900009000.exe	FA0900009000.exe
PID 668 wrote to memory of 3048	668	FA0900009000.exe	FA0900009000.exe

C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe
"C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3048

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\nsv9487.tmp\bnd3.dll

MD5
2b289ab120d95236da9f742ae16c77c1

SHA1
96807a2b3d9c4fd21cc446fbfef5b564b3a39938

SHA256
239e71634074d7e78af7dca14bbda6f80a67c48be2c6ac7fcdf4d4eba2d2fb8c

SHA512
f20f17b4ea35e6d837db3396bc42457e7f5f412db68bbf993a9e2d1dfc4b6c8908f19c71e4d8d6afea41f27d5f2e230e3ec7ff79ed4ba20947831c1455fa67d4

Download Submit
memory/668-115-0x0000000002750000-0x0000000002773000-memory.dmp

Filesize
140KB

Download
memory/668-116-0x0000000002750000-0x0000000002773000-memory.dmp

Filesize
140KB

Download
memory/3048-117-0x00000000004172EC-mapping.dmp

Download
memory/3048-118-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download