7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b

General

Target

7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe
Size

148KB
MD5

713e68047e3e0a63d3c28c3c886d1530
SHA1

628944a797fd74141faad175f8eeb9e78c6a83ec
SHA256

7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b
SHA512

b995aaaee0578a3361b10d2692267985bf926b73a54d8012c8fb7e7cc056d8e0fd8ebc913acf61ed0258ffa594f1d6c4735460e6ff4f8aed7e8ea1d7d6b3dde8
SSDEEP

3072:KX5H3oUhFBpQhvrHQc5LDUUn1Ir/sFdhq4G:KpH3oUhahvrHQc5LNIrezq4G

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
756	FBvXR2IEMB5HV8U.exe

Deletes itself 1 IoCs

pid	Process
456	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
940	cmd.exe
940	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 940	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	27
PID 1288 wrote to memory of 940	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	27
PID 1288 wrote to memory of 940	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	27
PID 1288 wrote to memory of 940	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	27
PID 1288 wrote to memory of 456	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	30
PID 1288 wrote to memory of 456	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	30
PID 1288 wrote to memory of 456	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	30
PID 1288 wrote to memory of 456	1288	7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe	30
PID 940 wrote to memory of 756	940	cmd.exe	31
PID 940 wrote to memory of 756	940	cmd.exe	31
PID 940 wrote to memory of 756	940	cmd.exe	31
PID 940 wrote to memory of 756	940	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe
"C:\Users\Admin\AppData\Local\Temp\7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe
    "C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe"
    3⤵
    - Executes dropped EXE
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe.bat" "
  2⤵
  - Deletes itself
  PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7d86a0c6ebbcd2f83f695579bd48b5ecea7c8ff8a7b365eb88b721c3bc0d854b.exe.bat

Filesize
525B

MD5
822cc4130df1143aac9fe92cc1825410

SHA1
eece9811ea5c2277276a0a4066740928cb2706ef

SHA256
b238ea1754a74c1da7709355651fd4d7327dbf0536b249517b599b0dd8737c07

SHA512
fb65956d089cc0e60813c0d038a90fdb35e40b5920fb70aa0fea5e946045b7604b44f3b04a6b90ed410c186f139559bc6b6b35fc3fc46eb02619ae2dc53ee92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe

Filesize
111KB

MD5
fa1c8c4a83913e8639ac4227231f7ad1

SHA1
a415cfc290360a5c76a00759a6c055f0d7c27194

SHA256
f078e063e32f521d16a7cb253099de14ed7f52c0882058734bfb47caf9b1a07b

SHA512
dbd0278f51738033f2934d9039acbb980ecacb50bcea6710c1419206349e76a919455af00f91059c4b2694de46fb1c483d39e7bd191cf36a3ceffdf124157ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe

Filesize
111KB

MD5
fa1c8c4a83913e8639ac4227231f7ad1

SHA1
a415cfc290360a5c76a00759a6c055f0d7c27194

SHA256
f078e063e32f521d16a7cb253099de14ed7f52c0882058734bfb47caf9b1a07b

SHA512
dbd0278f51738033f2934d9039acbb980ecacb50bcea6710c1419206349e76a919455af00f91059c4b2694de46fb1c483d39e7bd191cf36a3ceffdf124157ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe.bat

Filesize
207B

MD5
d45c29f5455121e3932b4bac3e9fd4ae

SHA1
ae296aa03315ed5ff863adcb5617bd59681c8d47

SHA256
6d2b042d1cc1e9f198081c73cd8a738f9338f5ff58b6f001adfcd3448aa04612

SHA512
0d9868b3cd9133909ddd00e71cbcdef6f9e5138abcd7c7081cb0b72a627b74ce64096ea48b662ed22e9c98f48112b0e23f34aa90de3a1662ba2b9a34d4c42326

Download Submit
\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe

Filesize
111KB

MD5
fa1c8c4a83913e8639ac4227231f7ad1

SHA1
a415cfc290360a5c76a00759a6c055f0d7c27194

SHA256
f078e063e32f521d16a7cb253099de14ed7f52c0882058734bfb47caf9b1a07b

SHA512
dbd0278f51738033f2934d9039acbb980ecacb50bcea6710c1419206349e76a919455af00f91059c4b2694de46fb1c483d39e7bd191cf36a3ceffdf124157ee8

Download Submit
\Users\Admin\AppData\Local\Temp\FBvXR2IEMB5HV8U.exe

Filesize
111KB

MD5
fa1c8c4a83913e8639ac4227231f7ad1

SHA1
a415cfc290360a5c76a00759a6c055f0d7c27194

SHA256
f078e063e32f521d16a7cb253099de14ed7f52c0882058734bfb47caf9b1a07b

SHA512
dbd0278f51738033f2934d9039acbb980ecacb50bcea6710c1419206349e76a919455af00f91059c4b2694de46fb1c483d39e7bd191cf36a3ceffdf124157ee8

Download Submit
memory/456-57-0x0000000000000000-mapping.dmp

Download
memory/756-61-0x0000000000000000-mapping.dmp

Download
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/1288-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing