99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364

General

Target

99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
Size

3.9MB
MD5

df2de903ee38ab89ce424656ec5e85e4
SHA1

4a4417e38ce7a8a098c3f09e318783fd5821e8ee
SHA256

99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364
SHA512

9ffd0259e14b9685b362adb28c0f147a47dc920e3691e7163ce9c38be00f717d99b29c9918ca339f300761d06edf9b88ddc6f33ec83bc009e32a1543224a2a38

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

Alex.exe

pid process

280 Alex.exe

pid	process
280	Alex.exe

Loads dropped DLL 5 IoCs

Processes:

99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exeAlex.exe

pid	process
1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
280	Alex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1632 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1632 taskkill.exe

pid	process
1632	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1632	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exeAlex.execmd.exe

description	pid	process	target process
PID 1280 wrote to memory of 280	1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe	Alex.exe
PID 1280 wrote to memory of 280	1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe	Alex.exe
PID 1280 wrote to memory of 280	1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe	Alex.exe
PID 1280 wrote to memory of 280	1280	99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe	Alex.exe
PID 280 wrote to memory of 1448	280	Alex.exe	cmd.exe
PID 280 wrote to memory of 1448	280	Alex.exe	cmd.exe
PID 280 wrote to memory of 1448	280	Alex.exe	cmd.exe
PID 280 wrote to memory of 1448	280	Alex.exe	cmd.exe
PID 1448 wrote to memory of 1632	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1632	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1632	1448	cmd.exe	taskkill.exe
PID 1448 wrote to memory of 1632	1448	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe
"C:\Users\Admin\AppData\Local\Temp\99ea2034d76477e11983afe0aee3d54f871a926918ca4e766e5b0df5f5254364.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "TASKKILL /F /IM explorer.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /IM explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\php5ts.dll
Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Alex.exe
Filesize
2.7MB

MD5
fe7f4b6bfe992e2e484ee57844c3d9f4

SHA1
778105f9db1966fd7e3a296fac5bbb93bc2bea24

SHA256
f2c8c8b9b3e29602c4d776fa471c7f6a26f72a19ab07da3646fa339cb32b1fec

SHA512
63d0211d27bf264f4e98ec098a900ea97351b023d23985961143f9363800557e7aafa98c801094a425b23282005bc6e9e36d4cb4773474d7b103ade6494f1d79

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\php5ts.dll
Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
memory/280-59-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download
memory/1632-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing