aaba43d573b9c6815b1306504b446ff264af67db18c7ad7a32617ca07d90b45f

General

Target

bb797cf4de9a2f411f916401000904a1.exe
Size

559KB
MD5

bb797cf4de9a2f411f916401000904a1
SHA1

e81b1737a0dc57270850ff2f6eb30a1a542ef5e1
SHA256

aaba43d573b9c6815b1306504b446ff264af67db18c7ad7a32617ca07d90b45f
SHA512

d57ed7dceff0730eb19f6b95fca7c30d79f366eecd245e0062aab8b077eb1b53cf7ed87ecc39053c9f39c46b22031819eda41fa018cc8d98db01d0d424153558
SSDEEP

12288:Sa4Puo3+QtWvSoW6mJEfwQOY9rk9jGwvr2w7+:Sa4GoMlW6mJEY1YxkZ3vyw7+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1644	svchost.exe
1520	bb797cf4de9a2f411f916401000904a1.exe
1608	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	svchost.exe
1644	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	bb797cf4de9a2f411f916401000904a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1520	bb797cf4de9a2f411f916401000904a1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1520	bb797cf4de9a2f411f916401000904a1.exe
Token: 35	1520	bb797cf4de9a2f411f916401000904a1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1644	1672	bb797cf4de9a2f411f916401000904a1.exe	27
PID 1672 wrote to memory of 1644	1672	bb797cf4de9a2f411f916401000904a1.exe	27
PID 1672 wrote to memory of 1644	1672	bb797cf4de9a2f411f916401000904a1.exe	27
PID 1672 wrote to memory of 1644	1672	bb797cf4de9a2f411f916401000904a1.exe	27
PID 1644 wrote to memory of 1520	1644	svchost.exe	28
PID 1644 wrote to memory of 1520	1644	svchost.exe	28
PID 1644 wrote to memory of 1520	1644	svchost.exe	28
PID 1644 wrote to memory of 1520	1644	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe
"C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe
    "C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe

Filesize
524KB

MD5
4a0d1fc08c5fb5403665fe1ce0cfc4f1

SHA1
6534d94b2655b50cabeb7b0a719f47b44795303d

SHA256
043cb945358510ce0921ebcd33821e3d2f3f4f15223943e5c816ccf170668fbc

SHA512
38b5f27136abb6a82a70794bbc9664e0635b31556880bf079595f49197ec5c9253ab1ef9f027a8528a7982531000e646a232aa82419a8485716e7762a78488d6

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe

Filesize
524KB

MD5
4a0d1fc08c5fb5403665fe1ce0cfc4f1

SHA1
6534d94b2655b50cabeb7b0a719f47b44795303d

SHA256
043cb945358510ce0921ebcd33821e3d2f3f4f15223943e5c816ccf170668fbc

SHA512
38b5f27136abb6a82a70794bbc9664e0635b31556880bf079595f49197ec5c9253ab1ef9f027a8528a7982531000e646a232aa82419a8485716e7762a78488d6

Download Submit
\Users\Admin\AppData\Local\Temp\bb797cf4de9a2f411f916401000904a1.exe

Filesize
524KB

MD5
4a0d1fc08c5fb5403665fe1ce0cfc4f1

SHA1
6534d94b2655b50cabeb7b0a719f47b44795303d

SHA256
043cb945358510ce0921ebcd33821e3d2f3f4f15223943e5c816ccf170668fbc

SHA512
38b5f27136abb6a82a70794bbc9664e0635b31556880bf079595f49197ec5c9253ab1ef9f027a8528a7982531000e646a232aa82419a8485716e7762a78488d6

Download Submit
memory/1520-59-0x0000000000000000-mapping.dmp

Download
memory/1520-61-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1644-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing