3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4

General

Target

3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
Size

132KB
MD5

61ddf7ff23b1e906bc39754e4eadaf44
SHA1

55a4d71f502392f29e734ebf3bac6fec2c91f07e
SHA256

3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4
SHA512

e64d0673b39d19219ecdb8d938d933249df379d6006eb8ae0298e6695cf93106049f75d46adafbf05a3061fa72659743fb59d93021ba4a88e722c928c58e42ac

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exewfpslide.exewfpslide.exe

pid	Process
4556	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
4556	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
3464	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
3464	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
3380	wfpslide.exe
3380	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe
908	wfpslide.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe

pid	Process
3464	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exewfpslide.exe

description	pid	Process	procid_target
PID 4556 wrote to memory of 3464	4556	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe	80
PID 4556 wrote to memory of 3464	4556	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe	80
PID 4556 wrote to memory of 3464	4556	3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe	80
PID 3380 wrote to memory of 908	3380	wfpslide.exe	86
PID 3380 wrote to memory of 908	3380	wfpslide.exe	86
PID 3380 wrote to memory of 908	3380	wfpslide.exe	86

C:\Users\Admin\AppData\Local\Temp\3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
"C:\Users\Admin\AppData\Local\Temp\3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe
  "C:\Users\Admin\AppData\Local\Temp\3b483810130ab7c6bfa6625f45cafb070e793128a723c62d77c5598d2009a7e4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:3464

C:\Windows\SysWOW64\wfpslide.exe
"C:\Windows\SysWOW64\wfpslide.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\wfpslide.exe
  "C:\Windows\SysWOW64\wfpslide.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-147-0x0000000000000000-mapping.dmp

Download
memory/908-157-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/908-156-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/908-155-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/908-148-0x0000000000AC0000-0x0000000000ADA000-memory.dmp

Filesize
104KB

Download
memory/3380-153-0x0000000001900000-0x0000000001918000-memory.dmp

Filesize
96KB

Download
memory/3380-152-0x00000000018C0000-0x00000000018DA000-memory.dmp

Filesize
104KB

Download
memory/3380-143-0x00000000018E0000-0x00000000018FA000-memory.dmp

Filesize
104KB

Download
memory/3464-154-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/3464-142-0x0000000000960000-0x0000000000978000-memory.dmp

Filesize
96KB

Download
memory/3464-141-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/3464-135-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/3464-134-0x0000000000000000-mapping.dmp

Download
memory/4556-140-0x0000000002580000-0x0000000002598000-memory.dmp

Filesize
96KB

Download
memory/4556-130-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/4556-139-0x0000000002540000-0x000000000255A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads