3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133

General

Target

3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe
Size

18.6MB
MD5

3855b55599f63e6ea548f4f67db30337
SHA1

020f554ff1e5609ce093b74e840a6cb1890d22da
SHA256

3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133
SHA512

cf72283103c55a68ebc9da25446c1a5d0c2111610901b11bbfae13f707b08a9a24eee9772c6b5e045d001d5248d535352debc7d37ed096590737f0e42a9189a8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
1156	RdrVmpUninstall32.exe
1668	topoedit.exe
1412	accevent.exe

Loads dropped DLL 6 IoCs

pid	Process
1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
1412	accevent.exe
1412	accevent.exe
1412	accevent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Accessibility\Blind Access\On = "1"	accevent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1412	accevent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1776 wrote to memory of 1256	1776	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	27
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1156	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	28
PID 1256 wrote to memory of 1412	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	31
PID 1256 wrote to memory of 1412	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	31
PID 1256 wrote to memory of 1412	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	31
PID 1256 wrote to memory of 1412	1256	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	31

C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe
"C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\is-T2BIR.tmp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T2BIR.tmp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp" /SL5="$40108,18615131,780800,C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\RdrVmpUninstall32.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\RdrVmpUninstall32.exe"
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\topoedit.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\topoedit.exe"
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\accevent.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\accevent.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious behavior: AddClipboardFormatListener
    PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-62-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download
memory/1256-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1776-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1776-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing