1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0

General

Target

1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe
Size

320KB
MD5

4a30268b139df804cc85add123fd734e
SHA1

5b48f2af4eaebefe98b47e17f4a8775eb042f9ed
SHA256

1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0
SHA512

b8e0bb897dad7d2bfa033f4752a356b46baf824bd502b766a8901abc5a9bc61f57856b92271b73acc3034df63ca2665f87246296073cb183108cdc375aaac846

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Deletes itself 1 IoCs

pid	Process
280	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe
1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1092	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2032	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	28
PID 1120 wrote to memory of 2032	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	28
PID 1120 wrote to memory of 2032	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	28
PID 1120 wrote to memory of 2032	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	28
PID 1120 wrote to memory of 280	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	29
PID 1120 wrote to memory of 280	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	29
PID 1120 wrote to memory of 280	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	29
PID 1120 wrote to memory of 280	1120	1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe	29
PID 280 wrote to memory of 1092	280	cmd.exe	31
PID 280 wrote to memory of 1092	280	cmd.exe	31
PID 280 wrote to memory of 1092	280	cmd.exe	31
PID 280 wrote to memory of 1092	280	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe
"C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe
  "C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Filesize
320KB

MD5
4a30268b139df804cc85add123fd734e

SHA1
5b48f2af4eaebefe98b47e17f4a8775eb042f9ed

SHA256
1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0

SHA512
b8e0bb897dad7d2bfa033f4752a356b46baf824bd502b766a8901abc5a9bc61f57856b92271b73acc3034df63ca2665f87246296073cb183108cdc375aaac846

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Filesize
320KB

MD5
4a30268b139df804cc85add123fd734e

SHA1
5b48f2af4eaebefe98b47e17f4a8775eb042f9ed

SHA256
1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0

SHA512
b8e0bb897dad7d2bfa033f4752a356b46baf824bd502b766a8901abc5a9bc61f57856b92271b73acc3034df63ca2665f87246296073cb183108cdc375aaac846

Download Submit
\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Filesize
320KB

MD5
4a30268b139df804cc85add123fd734e

SHA1
5b48f2af4eaebefe98b47e17f4a8775eb042f9ed

SHA256
1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0

SHA512
b8e0bb897dad7d2bfa033f4752a356b46baf824bd502b766a8901abc5a9bc61f57856b92271b73acc3034df63ca2665f87246296073cb183108cdc375aaac846

Download Submit
\Users\Admin\AppData\Local\Temp\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0\1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0.exe

Filesize
320KB

MD5
4a30268b139df804cc85add123fd734e

SHA1
5b48f2af4eaebefe98b47e17f4a8775eb042f9ed

SHA256
1c8be3d17e18198dcda5c576f948ae23a5988e22aad3073a1a6739d5f9ed7ec0

SHA512
b8e0bb897dad7d2bfa033f4752a356b46baf824bd502b766a8901abc5a9bc61f57856b92271b73acc3034df63ca2665f87246296073cb183108cdc375aaac846

Download Submit
memory/1120-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1120-56-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/1120-55-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/1120-67-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-63-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-64-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-65-0x0000000074C20000-0x00000000751CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing