0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927

General

Target

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
Size

207KB
MD5

0af7fbb3b5a2a7059555859c4c1db8f9
SHA1

67e96d488538213b16c6c0c599648437a176039a
SHA256

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927
SHA512

3a2174b9930aab109cba7fba398dca4f4f99bd1fe6a96f6b954bc3d49a9cb2e3e17cf5cbc33d363722f41aabf7e71515b28fa752617c0e882f4e3c6ff1226f5c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lttfsgn.exe

pid process

4252 lttfsgn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4252	lttfsgn.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exelttfsgn.exe

description	pid	process	target process
PID 4984 wrote to memory of 4252	4984	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 4984 wrote to memory of 4252	4984	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 4984 wrote to memory of 4252	4984	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 4252 wrote to memory of 4200	4252	lttfsgn.exe	lttfsgn.exe
PID 4252 wrote to memory of 4200	4252	lttfsgn.exe	lttfsgn.exe
PID 4252 wrote to memory of 4200	4252	lttfsgn.exe	lttfsgn.exe

C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
"C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
  C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
    C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj
    3⤵
    PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9sjm3acpe7f5ws

Filesize
103KB

MD5
74682f26d87f1047426bfee935e559c2

SHA1
3fad4b39590a96fc0fdcb202c0d8d68ec79712d8

SHA256
89c2359ae8ca561e67d1279db5303da03f5890f11d1af5aa24e821ff69a03da7

SHA512
bd44841a01278312113d652ddd07384fd53a729d465dc1ca8919471825f94250f0997aed4979174a25461a99bdb48c9acffbc1bc469b16172add2c556e29eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe

Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe

Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxeeuj

Filesize
4KB

MD5
071ab2ca94d7132ee9c128ae20c80dbe

SHA1
d730e3571bed9e1123610abe7bea405b3e6bcdfb

SHA256
79cc7d5a87c98bc5e842153f52d8280cf091778cd87e4cfe206813324f577602

SHA512
fdfe461020f6c9296df62e478d066c204346f384d94ea890aca4bf59a22df8b39a677176c4a960b5fc85e846da9c54a83ed749b624abf5894b3ef8f0850f749d

Download Submit
memory/4200-135-0x0000000000000000-mapping.dmp

Download
memory/4252-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing