a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8

General

Target

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
Size

208KB
MD5

7d230009eab36798f73226c3adc7ac8e
SHA1

fb28cf281513100854474137becbece52f8964cb
SHA256

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8
SHA512

e3d3fa3093c93d0c3e9e2970242765cb9875f64508815d93acd410efdf564481bba41c454409fc847a2cdf8bcfe70ab2f4277b3e4b8964927baa6a0dbafabff5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

anseamh.exe

pid process

3788 anseamh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3788	anseamh.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exeanseamh.exe

description	pid	process	target process
PID 1232 wrote to memory of 3788	1232	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1232 wrote to memory of 3788	1232	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1232 wrote to memory of 3788	1232	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 3788 wrote to memory of 1512	3788	anseamh.exe	anseamh.exe
PID 3788 wrote to memory of 1512	3788	anseamh.exe	anseamh.exe
PID 3788 wrote to memory of 1512	3788	anseamh.exe	anseamh.exe

C:\Users\Admin\AppData\Local\Temp\a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
"C:\Users\Admin\AppData\Local\Temp\a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\anseamh.exe
  C:\Users\Admin\AppData\Local\Temp\anseamh.exe C:\Users\Admin\AppData\Local\Temp\qblysgjfpo
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\anseamh.exe
    C:\Users\Admin\AppData\Local\Temp\anseamh.exe C:\Users\Admin\AppData\Local\Temp\qblysgjfpo
    3⤵
    PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9rslrai5az688

Filesize
103KB

MD5
fa6e53be9ad46836ae678f76d5c9d556

SHA1
89a1f44d1acb2b9e5ff6b6e566ed347d05b52249

SHA256
a1766a96cdc1c18b2d7a8963198ae804e217f13f032faff99d0d62e47310749c

SHA512
daea6fcc09dbdd65c73151c3f5cc9485daa06e5833e68c71c7255a669863f1b1df6e8e17d7ab95f8eb9d0586827ef1cbc1b3eca8f29201aa5531c98094ab9e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
C:\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
C:\Users\Admin\AppData\Local\Temp\qblysgjfpo

Filesize
5KB

MD5
b39681d19fe532be0d5fc83eae8b84a6

SHA1
9c8801c5f1f5e2a4a81de6a09dc0616745515c93

SHA256
1c4d28881dd63751e50718e0e06dfd7fa2350de641b4f3685ee83625b25811d8

SHA512
fd4af9286abd1e6cfe36078d0e6725c3fc9cc83283c5a7a466ae33eac408580d8a2f87a0c4acefa52597558c4ac8d1d2ee4714ff523cfa109c6ad706416475ea

Download Submit
memory/1512-135-0x0000000000000000-mapping.dmp

Download
memory/3788-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing