4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec

General

Target

4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
Size

1.3MB
MD5

48d1c0a7f9999c7e134a0d47c3ce43eb
SHA1

7c0097e0b1ca205c998a9728bf54124fe63c4d26
SHA256

4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec
SHA512

462271a42ee651af42aaec65671bd70e9bc0fc37fbf579318cc49eec30bafee0577b72d0e7197bad98f03b1004eeefdc94766b94ef02be9e4a2842f9de4a60e8
SSDEEP

24576:lq/WSDhvtaC6bgMCdDCxj/PW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJb:l6iC531m3asY6DwOBfrnvV7UeWtp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1520	2044	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe	28
PID 2044 wrote to memory of 1520	2044	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe	28
PID 2044 wrote to memory of 1520	2044	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe	28
PID 2044 wrote to memory of 1520	2044	4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe	28

C:\Users\Admin\AppData\Local\Temp\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
"C:\Users\Admin\AppData\Local\Temp\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe
  "C:\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Filesize
1.3MB

MD5
1154a2fbbb98bedbd6ed0ef40d14d537

SHA1
c8c6a10e2f5ad69f3d3b576dfa31fa717b0a088b

SHA256
82282eabba54974daf44e87048419c26b84fa740b7a7dcf81faa1af4ce279586

SHA512
5b406407648447c4c02304504e307f027bd8ee45e3b2142b5cefb4ca1033bc888094f9c864231f6258d21371b6970651f5db3935e5f569a9a2d22be7dd729e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Filesize
1.3MB

MD5
1154a2fbbb98bedbd6ed0ef40d14d537

SHA1
c8c6a10e2f5ad69f3d3b576dfa31fa717b0a088b

SHA256
82282eabba54974daf44e87048419c26b84fa740b7a7dcf81faa1af4ce279586

SHA512
5b406407648447c4c02304504e307f027bd8ee45e3b2142b5cefb4ca1033bc888094f9c864231f6258d21371b6970651f5db3935e5f569a9a2d22be7dd729e88

Download Submit
\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\4cc10bf8879fc5272934e9a251c42a8ee645b2a334e183a9ba168fc1f77c9bec.exe

Filesize
1.3MB

MD5
1154a2fbbb98bedbd6ed0ef40d14d537

SHA1
c8c6a10e2f5ad69f3d3b576dfa31fa717b0a088b

SHA256
82282eabba54974daf44e87048419c26b84fa740b7a7dcf81faa1af4ce279586

SHA512
5b406407648447c4c02304504e307f027bd8ee45e3b2142b5cefb4ca1033bc888094f9c864231f6258d21371b6970651f5db3935e5f569a9a2d22be7dd729e88

Download Submit
\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\ezpxeukj.gk2\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/1520-66-0x0000000074F70000-0x0000000074F79000-memory.dmp

Filesize
36KB

Download
memory/1520-81-0x000000005E3A0000-0x000000005E42D000-memory.dmp

Filesize
564KB

Download
memory/1520-64-0x00000000752B0000-0x00000000752F7000-memory.dmp

Filesize
284KB

Download
memory/1520-65-0x0000000076DF0000-0x0000000076E47000-memory.dmp

Filesize
348KB

Download
memory/1520-101-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1520-67-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-100-0x0000000000960000-0x0000000000A0E000-memory.dmp

Filesize
696KB

Download
memory/1520-70-0x00000000752B0000-0x00000000752F7000-memory.dmp

Filesize
284KB

Download
memory/1520-71-0x0000000000960000-0x0000000000A0E000-memory.dmp

Filesize
696KB

Download
memory/1520-72-0x00000000001D0000-0x000000000020D000-memory.dmp

Filesize
244KB

Download
memory/1520-73-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-69-0x0000000075500000-0x000000007614A000-memory.dmp

Filesize
12.3MB

Download
memory/1520-75-0x0000000076960000-0x0000000076ABC000-memory.dmp

Filesize
1.4MB

Download
memory/1520-76-0x00000000746B0000-0x000000007470B000-memory.dmp

Filesize
364KB

Download
memory/1520-61-0x0000000000960000-0x0000000000A0E000-memory.dmp

Filesize
696KB

Download
memory/1520-79-0x0000000076670000-0x00000000766FF000-memory.dmp

Filesize
572KB

Download
memory/1520-60-0x0000000074F80000-0x0000000074FCA000-memory.dmp

Filesize
296KB

Download
memory/1520-63-0x0000000075200000-0x00000000752AC000-memory.dmp

Filesize
688KB

Download
memory/1520-83-0x0000000060340000-0x0000000060348000-memory.dmp

Filesize
32KB

Download
memory/1520-86-0x0000000072E80000-0x0000000072E95000-memory.dmp

Filesize
84KB

Download
memory/1520-87-0x0000000072EA0000-0x0000000072EF2000-memory.dmp

Filesize
328KB

Download
memory/1520-88-0x0000000076E50000-0x0000000076E85000-memory.dmp

Filesize
212KB

Download
memory/1520-89-0x0000000073990000-0x000000007399D000-memory.dmp

Filesize
52KB

Download
memory/1520-90-0x00000000754B0000-0x00000000754C9000-memory.dmp

Filesize
100KB

Download
memory/1520-91-0x0000000071660000-0x00000000716AF000-memory.dmp

Filesize
316KB

Download
memory/1520-92-0x00000000716B0000-0x0000000071708000-memory.dmp

Filesize
352KB

Download
memory/1520-93-0x0000000072E00000-0x0000000072E1C000-memory.dmp

Filesize
112KB

Download
memory/1520-94-0x0000000075090000-0x000000007509C000-memory.dmp

Filesize
48KB

Download
memory/1520-96-0x0000000076840000-0x0000000076867000-memory.dmp

Filesize
156KB

Download
memory/1520-97-0x0000000001EE7000-0x0000000001EF8000-memory.dmp

Filesize
68KB

Download
memory/1520-98-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-99-0x00000000752B0000-0x00000000752F7000-memory.dmp

Filesize
284KB

Download
memory/2044-68-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing