99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff

General

Target

99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
Size

11.7MB
MD5

0013ee610f83b401007adbefef051305
SHA1

f322e18219aa1abd91640b4d2b47fc1992068d16
SHA256

99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff
SHA512

27abdf3bd117cd85e18d633ddcb35586791cc7f41caf9797fdbdc726befd140c8dbd2a3a3a032581f1f20e226b6f29327a6f9892255ab6b69c27d1e13719fe5b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

difserver.exe

pid process

1508 difserver.exe

pid	process
1508	difserver.exe

Loads dropped DLL 3 IoCs

Processes:

99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exedifserver.exe

pid	process
592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
1508	difserver.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

difserver.exe

pid process

1508 difserver.exe
1508 difserver.exe
1508 difserver.exe
1508 difserver.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

difserver.exe

description pid process

Token: SeDebugPrivilege 1508 difserver.exe
Token: SeShutdownPrivilege 1508 difserver.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

difserver.exe

pid process

1508 difserver.exe
1508 difserver.exe

pid	process
1508	difserver.exe
1508	difserver.exe
1508	difserver.exe
1508	difserver.exe

description	pid	process
Token: SeDebugPrivilege	1508	difserver.exe
Token: SeShutdownPrivilege	1508	difserver.exe

pid	process
1508	difserver.exe
1508	difserver.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe

description	pid	process	target process
PID 592 wrote to memory of 1508	592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe	difserver.exe
PID 592 wrote to memory of 1508	592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe	difserver.exe
PID 592 wrote to memory of 1508	592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe	difserver.exe
PID 592 wrote to memory of 1508	592	99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe	difserver.exe

C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe
"C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5
ec538ff191a52b5ca9f67ae5d5d56908

SHA1
fb583f5953db1c0397859bb91afd5b0a5f6f366c

SHA256
358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

SHA512
ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

Download Submit
C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5
e653f13bf4b225f1c7dce0e6404fc52a

SHA1
6e2ba578d8c14967a5ff2abbcce67a0e732c43d9

SHA256
ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c

SHA512
96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

Download Submit
C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\menu.xml

MD5
bacfa288e5c0f18a8f2c94d208d7c760

SHA1
912bd515c26f794cc65fa066ac01216cc7d35893

SHA256
080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8

SHA512
329e88c703ede60b537a94cc4b64e890048552de05a4a26530a770ead698644d38c34ece53ee4027ecc994613465cba76d15a5c560d586b3579465bb2e17637a

Download Submit
\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5
ec538ff191a52b5ca9f67ae5d5d56908

SHA1
fb583f5953db1c0397859bb91afd5b0a5f6f366c

SHA256
358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

SHA512
ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

Download Submit
\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5
ec538ff191a52b5ca9f67ae5d5d56908

SHA1
fb583f5953db1c0397859bb91afd5b0a5f6f366c

SHA256
358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

SHA512
ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

Download Submit
\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5
e653f13bf4b225f1c7dce0e6404fc52a

SHA1
6e2ba578d8c14967a5ff2abbcce67a0e732c43d9

SHA256
ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c

SHA512
96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

Download Submit
memory/592-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/592-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing