0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec

General

Target

0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
Size

683KB
MD5

8bb19f064991f91dca466784b13e2bb3
SHA1

517682367ad7b45ab2f4eba49bff723f033cfc6d
SHA256

0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec
SHA512

0752b19d991542ee5834d62b614ead5cdb90b365a5fed03a830cf57761fc00c6142d40f8f0da1bee0acb90e5f3aed14afdaa25e33b9ad132dbeec1a1c3286beb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

JQDRLENE.exe

pid process

896 JQDRLENE.exe

pid	process
896	JQDRLENE.exe

Loads dropped DLL 5 IoCs

Processes:

0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe

pid	process
1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

JQDRLENE.exe

pid process

896 JQDRLENE.exe

pid	process
896	JQDRLENE.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe

description	pid	process	target process
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe
PID 1256 wrote to memory of 896	1256	0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe	JQDRLENE.exe

C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
"C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
"C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
Filesize
964KB

MD5
2ee38ff20b9d582668d0ff14bde48fcf

SHA1
ccd75e289a21ee01aac4878b248f877115ea5186

SHA256
0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

SHA512
7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

Download Submit
memory/896-60-0x0000000000000000-mapping.dmp

Download
memory/1256-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing