6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab

General

Target

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe
Size

468KB
MD5

35d60d2723c649c97b414b3cb701df1c
SHA1

9944ce9354fb8961826339770ffc118000058271
SHA256

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab
SHA512

7b010b8dd4845bcfbfef66848fa0a29b987734a7adb41f07bbc025527ee33459edac7674f954016e96c3704e0ed9130104c5cf4625b78927a19c727812ca389c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow	pid	Process
9	908	rundll32.exe
15	908	rundll32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1640	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid	Process
1536	regsvr32.exe
908	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exeregsvr32.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 1640	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	28
PID 1728 wrote to memory of 1640	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	28
PID 1728 wrote to memory of 1640	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	28
PID 1728 wrote to memory of 1640	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	28
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1728 wrote to memory of 1536	1728	6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe	30
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31
PID 1536 wrote to memory of 908	1536	regsvr32.exe	31

C:\Users\Admin\AppData\Local\Temp\6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe
"C:\Users\Admin\AppData\Local\Temp\6dfce07abc39e5d6aebd74a1850ad65cc6ce10a8540b551c4f6d441ec4cf48ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rns.bat" "
  2⤵
  - Deletes itself
  PID:1640
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /n /i NewACt.dat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat",checkdrive
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rns.bat

Filesize
296B

MD5
5fea73ccfab1fec3832408ad4c33f786

SHA1
c4aeedbf9ce66565e74d3806ad3c76282ed83fb1

SHA256
9820d84bdfde1dd8f12ec2306fdeb9089724abd7b9d4b1a0f9f26d4e41b13422

SHA512
9af2b2979beb22bd417861bc56fc4eb86635a63e93cb74437ebb7450e90b4b8c814a8ac9ccfc9cf967cafb83867a9fd7353ba5b02dedddf03ce10a5e48c1fed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\NewACt.dat

Filesize
109KB

MD5
e54b370d96ca0e2ecc083c2d42f05210

SHA1
03c35e4c6a641373db665e7d58cea421188fbc82

SHA256
1050935f6acee3afda3876478718632b968c986eb9c59fc2e27599c1515515f5

SHA512
dbdd30cd32160d716578e325a32db6822227271082ffd78daf0d9d4dad3c04445fe5a10b726bf4bb71d88382e56041ff326132c748a8139e4932e1103734e2d4

Download Submit
memory/908-61-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads