6a1770e16518fb549c5f6807348c728ad91f82109188ffc704e4668d0919d16f

Analysis

Target

SESIN2107005101.JPG.scr
Size

1.0MB
MD5

4c9cc530b572cc74b0a3f98070209162
SHA1

37b9edc504f4d2a5b2735003decd03981be2a721
SHA256

6a1770e16518fb549c5f6807348c728ad91f82109188ffc704e4668d0919d16f
SHA512

313c70d6acc59684b4c3ac82a89beca47de379323102022e297aa64980046a50bf0dc709560500e316d5b0b729f9a536b718595f79898b8abcc971b50a2f2fa0

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

jmmhvp.pif

pid process

640 jmmhvp.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
640	jmmhvp.pif

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SESIN2107005101.JPG.scr

description	pid	process	target process
PID 3800 wrote to memory of 640	3800	SESIN2107005101.JPG.scr	jmmhvp.pif
PID 3800 wrote to memory of 640	3800	SESIN2107005101.JPG.scr	jmmhvp.pif
PID 3800 wrote to memory of 640	3800	SESIN2107005101.JPG.scr	jmmhvp.pif

C:\Users\Admin\AppData\Local\Temp\SESIN2107005101.JPG.scr
"C:\Users\Admin\AppData\Local\Temp\SESIN2107005101.JPG.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pif
"C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pif" khugi.hel
2⤵
- Executes dropped EXE
PID:640

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pif
MD5
e1f85da023a9f5784e38a37c16c777e6

SHA1
6623fe6bb1903311cfa96ebdcd25822bc4f221ef

SHA256
f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162

SHA512
28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

Download Submit
memory/640-115-0x0000000000000000-mapping.dmp

Download