e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759

General

Target

c6e799eeeba0345de98b4e9a6ac76b82.exe
Size

292KB
MD5

c6e799eeeba0345de98b4e9a6ac76b82
SHA1

268bafbd996997350d32521a0012602960c5d004
SHA256

e17bfb8370c8badf90756f650e1be4794e77a57abb3619c30789364756304759
SHA512

b229294931fe70480a7cb0937b33311fa838e5b5f1ac880a1e8fd06b67ddee6c4b691d9a0d93004be86deba5300faf55511cd910fad56f89c4e79b5eead6f681

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dvukljmnr.exe

pid process

768 dvukljmnr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
768	dvukljmnr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c6e799eeeba0345de98b4e9a6ac76b82.exedvukljmnr.exe

description	pid	process	target process
PID 5020 wrote to memory of 768	5020	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 5020 wrote to memory of 768	5020	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 5020 wrote to memory of 768	5020	c6e799eeeba0345de98b4e9a6ac76b82.exe	dvukljmnr.exe
PID 768 wrote to memory of 2504	768	dvukljmnr.exe	dvukljmnr.exe
PID 768 wrote to memory of 2504	768	dvukljmnr.exe	dvukljmnr.exe
PID 768 wrote to memory of 2504	768	dvukljmnr.exe	dvukljmnr.exe

C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe
"C:\Users\Admin\AppData\Local\Temp\c6e799eeeba0345de98b4e9a6ac76b82.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
  C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe
    C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw
    3⤵
    PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4qh31ayyhk84s8sjtofn

Filesize
184KB

MD5
17179b4032c3411541c24ca24c8c9aae

SHA1
13f54b0c026b6c7e53aa94df8f73fa24ecaa0393

SHA256
b82ca9a52d0ac42aeb246ed7fa0fd7f95c6248f6684b1ab8e6d973ee934ce0b9

SHA512
6127e76eec4d121be3ee8a45da44220a33ac57924255738f80edab3b92a7fd7d8f002779fa0f3296f3b795671767853e49dd2642eb43419e373284bfbd8b0201

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvukljmnr.exe

Filesize
187KB

MD5
9cecb9e88c1ff3d7a4ffc8bfeb27c2e1

SHA1
63223ba95bfa3bf5c33b2fa08376afc90b35465e

SHA256
78c9548a33abd68ed553bb2a48166afd21041b9d868a0373e4a11b93409db049

SHA512
be4365f78f9da5d3ab920100debf9a23f94101c5482db6fbb8708913006483df0a6dc882baac4d11eb942b464e548ac4f31a044f13fe6670b68da1b95a2fdaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxsjdcnfw

Filesize
4KB

MD5
498c16613e82cebca0fc1541214be952

SHA1
23e7da2aa1b3ef5f3aec1ae51f797da4f421efc5

SHA256
7f40da6288c8e939afea7a6512e518933d1802f6b822817b21e3b457af445ce8

SHA512
ba6b040c01b60827f893f918de5478e83b53da511ef62d0b10b2a12ec17f64c2ff64bd50dc1be814809153ae90c913370010bacf22636fbd4820b409e6183a7b

Download Submit
memory/768-130-0x0000000000000000-mapping.dmp

Download
memory/2504-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing