f7e9080ca25ee0e68a9f7b1557dd8e5ebed57777c83186742ab3489706c30b21

General

Target

tmp.exe
Size

3.8MB
MD5

af472706053409a5478d0fe3a71c601b
SHA1

b4226313a464857f5a5ee2bc7ba976c23ee44729
SHA256

f7e9080ca25ee0e68a9f7b1557dd8e5ebed57777c83186742ab3489706c30b21
SHA512

5a23bd12d8eefdf06203c9d7fce9efa95092159f084cae79d27811699c21067783d7afe5350cbf2a26e0852d8bb009b5656b5e672a40b6bbe872b6d5283eb1ed

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp.tmp

pid process

908 tmp.tmp
Loads dropped DLL 4 IoCs

Processes:

tmp.exetmp.tmp

pid process

1488 tmp.exe
908 tmp.tmp
908 tmp.tmp
908 tmp.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.tmp

pid process

908 tmp.tmp
908 tmp.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.tmp

description pid process

Token: SeDebugPrivilege 908 tmp.tmp
Token: SeDebugPrivilege 908 tmp.tmp

pid	process
908	tmp.tmp

pid	process
1488	tmp.exe
908	tmp.tmp
908	tmp.tmp
908	tmp.tmp

pid	process
908	tmp.tmp
908	tmp.tmp

description	pid	process
Token: SeDebugPrivilege	908	tmp.tmp
Token: SeDebugPrivilege	908	tmp.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exetmp.tmpnet.exe

description	pid	process	target process
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 1488 wrote to memory of 908	1488	tmp.exe	tmp.tmp
PID 908 wrote to memory of 936	908	tmp.tmp	net.exe
PID 908 wrote to memory of 936	908	tmp.tmp	net.exe
PID 908 wrote to memory of 936	908	tmp.tmp	net.exe
PID 908 wrote to memory of 936	908	tmp.tmp	net.exe
PID 936 wrote to memory of 1984	936	net.exe	net1.exe
PID 936 wrote to memory of 1984	936	net.exe	net1.exe
PID 936 wrote to memory of 1984	936	net.exe	net1.exe
PID 936 wrote to memory of 1984	936	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp" /SL5="$60124,3722629,56832,C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop routerService
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop routerService
4⤵
PID:1984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GUBP.tmp\uninstall.dll
Filesize
375KB

MD5
5efac3416a1e01008e3b3fe3f0cc17f5

SHA1
f803065bf98b7f7449897f90ae666ad0cd8a9e4b

SHA256
81816fcbaa62d9a89bf27ab2e2eb0b3fe0201f83d2139fda491708e7456ab0ba

SHA512
ce90b01e2696156743527be8bb5f098a748d405a9b6f783c41d5f0c2b312d7945d9bb4dc95c5504e7795ec348ad7ec0697f9ff2ed3495256340714be1e6733fe

Download Submit
\Users\Admin\AppData\Local\Temp\is-26KBT.tmp\tmp.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
memory/908-58-0x0000000000000000-mapping.dmp

Download
memory/936-64-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1488-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1984-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing