71bb1f2e0a1aecf13985a354d05fb522c85746e08a01a858a4473237a96e85fd

Analysis

Target

Absa.exe
Size

1.1MB
MD5

543b483edf1e71d19b7e2ca64ce9e2d9
SHA1

9c91f6bf2f7d23f288119d95999e107308151f8a
SHA256

71bb1f2e0a1aecf13985a354d05fb522c85746e08a01a858a4473237a96e85fd
SHA512

b0f2111e1a7c6977548b983cfb1abc92b9d2690d04d7c85ef0cde35b869fcac9666163821212088dc90a5afb1c533adf69d7bbc53939caea6996a6187a9006a7

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

wlxuupkxco.pif

pid process

2180 wlxuupkxco.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2180	wlxuupkxco.pif

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Absa.exe

description	pid	process	target process
PID 2204 wrote to memory of 2180	2204	Absa.exe	wlxuupkxco.pif
PID 2204 wrote to memory of 2180	2204	Absa.exe	wlxuupkxco.pif
PID 2204 wrote to memory of 2180	2204	Absa.exe	wlxuupkxco.pif

C:\Users\Admin\AppData\Local\Temp\Absa.exe
"C:\Users\Admin\AppData\Local\Temp\Absa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\59622800\wlxuupkxco.pif
  "C:\Users\Admin\59622800\wlxuupkxco.pif" kkffmheei.hhq
  2⤵
  - Executes dropped EXE
  PID:2180

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\59622800\wlxuupkxco.pif

MD5
8697c9cc411d42f598243797c53bae95

SHA1
efa1efb4b5e463d42d6f496883297b7a47c23796

SHA256
be731b853d1752b83706346f2256d4f2d9e39207f066a0c6876044229b784a8d

SHA512
7982891c8dd3b41e2466f183377f6533981f7d3807eb40105ca996ad080420250fde54ab0710c8cc1adf7a453cc769683e0dff93b825fb7d486cd8bf739c784a

Download Submit
memory/2180-114-0x0000000000000000-mapping.dmp

Download