5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c

General

Target

5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
Size

321KB
MD5

71235e186670cfb93f258d51470961d8
SHA1

4757c7f00f749da3d3144a4eec1bbe38b9374c29
SHA256

5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c
SHA512

f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
880	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1784	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	27
PID 1992 wrote to memory of 1784	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	27
PID 1992 wrote to memory of 1784	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	27
PID 1992 wrote to memory of 1784	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	27
PID 1992 wrote to memory of 1740	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	28
PID 1992 wrote to memory of 1740	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	28
PID 1992 wrote to memory of 1740	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	28
PID 1992 wrote to memory of 1740	1992	5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe	28
PID 1740 wrote to memory of 880	1740	cmd.exe	30
PID 1740 wrote to memory of 880	1740	cmd.exe	30
PID 1740 wrote to memory of 880	1740	cmd.exe	30
PID 1740 wrote to memory of 880	1740	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
"C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe
  "C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Filesize
321KB

MD5
71235e186670cfb93f258d51470961d8

SHA1
4757c7f00f749da3d3144a4eec1bbe38b9374c29

SHA256
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c

SHA512
f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Filesize
321KB

MD5
71235e186670cfb93f258d51470961d8

SHA1
4757c7f00f749da3d3144a4eec1bbe38b9374c29

SHA256
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c

SHA512
f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8

Download Submit
\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Filesize
321KB

MD5
71235e186670cfb93f258d51470961d8

SHA1
4757c7f00f749da3d3144a4eec1bbe38b9374c29

SHA256
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c

SHA512
f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8

Download Submit
\Users\Admin\AppData\Local\Temp\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c\5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c.exe

Filesize
321KB

MD5
71235e186670cfb93f258d51470961d8

SHA1
4757c7f00f749da3d3144a4eec1bbe38b9374c29

SHA256
5ab633d4aae244aa0795e1ad0c2f342d3b48c232333a1d254052672272f75f2c

SHA512
f1cd4c8d83e694407158b05ad85cb518059ba7dbfd8936f59b36f7110ad11697f6e2c62a60ddd0b22fff824b932e4d2709e53621092415d2329dae6722e15ab8

Download Submit
memory/1784-64-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-65-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing