8f80042ca609cfd6ba7db84003a87d6fad6fc0418fb1392879441e4ae68aaec4

Analysis

Target

SecuriteInfo.com.Variant.Symmi.62789.25665.exe
Size

1.0MB
MD5

c1e4a2246ff15995c559331b25cf6536
SHA1

efa49da0e7d8c3e7a24a0dfb8953f996093b3f7b
SHA256

8f80042ca609cfd6ba7db84003a87d6fad6fc0418fb1392879441e4ae68aaec4
SHA512

9ffe9c2a3ff5005fe0971cc0116318474cf70d3b5dd8dcce8802b294c60e6d5890e421b723c508519471cf19119733c574e47c7dcc63e98055d87b67a7de73c4

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe
396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe
396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3536	396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe	78
PID 396 wrote to memory of 3536	396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe	78
PID 396 wrote to memory of 3536	396	SecuriteInfo.com.Variant.Symmi.62789.25665.exe	78

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Symmi.62789.25665.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Symmi.62789.25665.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:3536

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact