3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f

Analysis

Target

3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe
Size

370KB
MD5

6cb94510fd574e97322d884a11b572fc
SHA1

37869c327d5b76660055315934dd1b35ef029424
SHA256

3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f
SHA512

d83ec1363e5a5b5189c342bf664f4d2e66f242a64344d2426c5cd8f71a2540ccdc52b88be03faa7a05841e57fa6ac67007c8c2f69abea6b9788f7010b8841ae3

Score

10^/10

suricata

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Executes dropped EXE 1 IoCs

Processes:

oinjefvqttjp.exe

pid process

1768 oinjefvqttjp.exe

pid	process
1768	oinjefvqttjp.exe

Drops file in Windows directory 2 IoCs

Processes:

3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

description	ioc	process
File created	C:\Windows\oinjefvqttjp.exe	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe
File opened for modification	C:\Windows\oinjefvqttjp.exe	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

description pid process

Token: SeDebugPrivilege 1288 3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

description	pid	process
Token: SeDebugPrivilege	1288	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe

description	pid	process	target process
PID 1288 wrote to memory of 1768	1288	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe	oinjefvqttjp.exe
PID 1288 wrote to memory of 1768	1288	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe	oinjefvqttjp.exe
PID 1288 wrote to memory of 1768	1288	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe	oinjefvqttjp.exe
PID 1288 wrote to memory of 1768	1288	3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe	oinjefvqttjp.exe

C:\Users\Admin\AppData\Local\Temp\3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe
"C:\Users\Admin\AppData\Local\Temp\3fcc8b307c772d026033fb7e3d19778e634954d5bf93ebe250f285116facbf1f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\oinjefvqttjp.exe
  C:\Windows\oinjefvqttjp.exe
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Windows\oinjefvqttjp.exe

Filesize
53KB

MD5
37baa887afc8cceb3898b72a3ccebb11

SHA1
21ea2769987040e2fa35af7e07f55d9707fc7a86

SHA256
863f2cac5d83fe6f11ca67a2129573c48cbb1384608fb2bbca1f67ac987329af

SHA512
af164168aa804b378a27d2547ed5001f06b92c79d546cae35377555fb55e544aba8bd6d6975d3cd4e3c66602b88490dbd6f63f4317e9da003d07fd4d2b3967cb

Download Submit
memory/1288-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1288-55-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/1288-56-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1288-57-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1768-58-0x0000000000000000-mapping.dmp

Download
memory/1768-61-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download