25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a

General

Target

25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
Size

1.4MB
MD5

4fd64491a0f896cb68a183535e7c5903
SHA1

cb612a594c568d57afa779a9b915c356a014d4c3
SHA256

25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a
SHA512

d00328bcf8f0c174262f8dda53e6567b1a2cffbafb7a6ef26812987c3fd06adbd23d6e2f6424c7f6c1cb03f50c24de641cbf39ba97b4f39664160e6d900ccd90
SSDEEP

24576:vk+G/DQsO70QJOX6UztBru1EgzMC2Qt53VLxOCFUBow1B12ZzsaeH:mQ87uEE5T3xkxoOYZzi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
992	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Loads dropped DLL 5 IoCs

pid	Process
1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
992	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
992	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
992	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 992	1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe	27
PID 1048 wrote to memory of 992	1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe	27
PID 1048 wrote to memory of 992	1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe	27
PID 1048 wrote to memory of 992	1048	25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe	27

C:\Users\Admin\AppData\Local\Temp\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
"C:\Users\Admin\AppData\Local\Temp\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ACCMT\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe
  "C:\Users\Admin\AppData\Local\Temp\ACCMT\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe" /UnInstall C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACCMT\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Filesize
1.4MB

MD5
4fd64491a0f896cb68a183535e7c5903

SHA1
cb612a594c568d57afa779a9b915c356a014d4c3

SHA256
25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a

SHA512
d00328bcf8f0c174262f8dda53e6567b1a2cffbafb7a6ef26812987c3fd06adbd23d6e2f6424c7f6c1cb03f50c24de641cbf39ba97b4f39664160e6d900ccd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACCMT\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Filesize
1.4MB

MD5
4fd64491a0f896cb68a183535e7c5903

SHA1
cb612a594c568d57afa779a9b915c356a014d4c3

SHA256
25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a

SHA512
d00328bcf8f0c174262f8dda53e6567b1a2cffbafb7a6ef26812987c3fd06adbd23d6e2f6424c7f6c1cb03f50c24de641cbf39ba97b4f39664160e6d900ccd90

Download Submit
\Users\Admin\AppData\Local\Temp\ACCMT\25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a.exe

Filesize
1.4MB

MD5
4fd64491a0f896cb68a183535e7c5903

SHA1
cb612a594c568d57afa779a9b915c356a014d4c3

SHA256
25b3cead2048079520e49392ded83c331db8f2a3540b0cbee91a9b0201de727a

SHA512
d00328bcf8f0c174262f8dda53e6567b1a2cffbafb7a6ef26812987c3fd06adbd23d6e2f6424c7f6c1cb03f50c24de641cbf39ba97b4f39664160e6d900ccd90

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E2.tmp\System.dll

Filesize
12KB

MD5
a45e5779dd7b2342789330729c11691f

SHA1
a7a6807b3ee5afcb6f14898d5d4abf2d58fabd44

SHA256
ffdec0fdffeda61f4074a9245ba5c425e6ed2a6ecbbfe07c593d14bcf6ce007b

SHA512
e17c9dbade785f2d7c62408ba083aa59b8ebe8b60c0c30bc2c0231423d560535c3bef9fd48fd288d1419d4cdbf05cd439d086dd4caef277c37bb4d9fbc60fc3f

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E2.tmp\nsSkinEngine.dll

Filesize
646KB

MD5
e460a42c2c4abc7437f6a3b8a472b850

SHA1
24bc25f622e0b3e69c35e131f9e05cd0c678661b

SHA256
e94b7f35b62eb4c6360371b836251265ff6cfb7ee077afb884d860f7d76d5a05

SHA512
cc36225c3c7011674babb60f62de044646fb33f0d55388d17eaffa9d1f25644af955825b9a63b7dc08a31369c5ecec2a5b1721e29fe4ea211cd046e98f532a2b

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E2.tmp\nsUtils.dll

Filesize
166KB

MD5
f94ced0f40a82f6828e498377230f041

SHA1
bc926b0a2344a82ee6262bfbfe12c54eca6db31a

SHA256
7339d2fdfc5d9fa055c8b932c708104a7bf055154062107d51e55da412a49d7e

SHA512
31ae5ed3886be569ad9daa1df958228a11d147b09a9f6bfa4193ab13f8be619dc03c46bcaa6e7d5df2f7d9594b55eb7287f43f48d4ef5d03c1648f126c23f631

Download Submit
\Users\Admin\AppData\Local\Temp\nsy791.tmp\System.dll

Filesize
12KB

MD5
a45e5779dd7b2342789330729c11691f

SHA1
a7a6807b3ee5afcb6f14898d5d4abf2d58fabd44

SHA256
ffdec0fdffeda61f4074a9245ba5c425e6ed2a6ecbbfe07c593d14bcf6ce007b

SHA512
e17c9dbade785f2d7c62408ba083aa59b8ebe8b60c0c30bc2c0231423d560535c3bef9fd48fd288d1419d4cdbf05cd439d086dd4caef277c37bb4d9fbc60fc3f

Download Submit
memory/992-63-0x0000000074481000-0x0000000074483000-memory.dmp

Filesize
8KB

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing