74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

General

Target

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
Size

611KB
MD5

69a643800f737f841917023ae7ee9b34
SHA1

effda16b763f8d6fd4f2baf7779367eabf9678ec
SHA256

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca
SHA512

543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

لحلحرطلرطلتداك.exe

pid process

416 لحلحرطلرطلتداك.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
416	لحلحرطلرطلتداك.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exe

pid	process
3516	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
3516	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
416	لحلحرطلرطلتداك.exe
416	لحلحرطلرطلتداك.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exeلحلحرطلرطلتداك.exe

description	pid	process	target process
PID 3516 wrote to memory of 416	3516	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 3516 wrote to memory of 416	3516	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 3516 wrote to memory of 416	3516	74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe	لحلحرطلرطلتداك.exe
PID 416 wrote to memory of 4264	416	لحلحرطلرطلتداك.exe	svchost.exe
PID 416 wrote to memory of 4264	416	لحلحرطلرطلتداك.exe	svchost.exe
PID 416 wrote to memory of 4264	416	لحلحرطلرطلتداك.exe	svchost.exe
PID 416 wrote to memory of 4264	416	لحلحرطلرطلتداك.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe
"C:\Users\Admin\AppData\Local\Temp\74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516

C:\ProgramData\لحلحرطلرطلتداك.exe
"C:\ProgramData\لحلحرطلرطلتداك.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
C:\ProgramData\لحلحرطلرطلتداك.exe
MD5
69a643800f737f841917023ae7ee9b34

SHA1
effda16b763f8d6fd4f2baf7779367eabf9678ec

SHA256
74851f7bc1fc7c89b7a0ebde6ccd00a40d025dc74eab44a9280ee92c5a0bb6ca

SHA512
543bf57d7815be8074dd04435da1e5a460934a61b633a5a32d8b60851c7d447e5ce163a2c89d0ad91bd9884c9315df611ff31b8d3ba4dad262f74cbe768c264c

Download Submit
memory/416-122-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4264-125-0x000002A0A5810000-0x000002A0A582E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing