d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
740	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28

C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
"C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
  "C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
  "C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-84-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/604-81-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/604-76-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/740-74-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/740-79-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/1660-61-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1660-70-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1660-67-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1660-66-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1660-65-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1660-64-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1660-63-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1660-72-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1660-69-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1660-68-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1660-71-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1660-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1660-62-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1660-59-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1660-60-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1660-58-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1660-57-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/1660-55-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing