b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9

General

Target

b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
Size

600KB
MD5

797871aad1cf127495c446876025ad28
SHA1

801f1c3000f8369cc2dad59c85c579ebfabbda04
SHA256

b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9
SHA512

d1cea280434c2c64eb229a986a66e7e8deb2d6bf1df06d72d89a3467c9bedbbd8aed9c261e8cc35b8ad64697323ac21a17edab20cc03e71f5d37ee0c60ffba63
SSDEEP

12288:i78ByWqjMd2TgDc66CVE8rObc/2izosb5u6uWeZUdE+pznUaH:EsyWqjxgDc6YoObcdoWE/jUdE+pDUaH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	s1186.exe

Loads dropped DLL 4 IoCs

pid	Process
704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1048	s1186.exe
1048	s1186.exe
1048	s1186.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	s1186.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	s1186.exe
1048	s1186.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1048	704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe	27
PID 704 wrote to memory of 1048	704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe	27
PID 704 wrote to memory of 1048	704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe	27
PID 704 wrote to memory of 1048	704	b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe	27

C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe
"C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe
  "C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe" 7e757072b22cf6735c6f4ee7WfZrJSh6LpTgDMsBQuhRz/RruOdKlthuf4wY0I0RkgxbcPWXvg45YhRgQxBFmMvYgtYB01OkJVNmzlopUdbGrI3+imFlSdUxqtBf1SO8mj1j/UFniVMaLgbS1TyS1tEDjvWTQP/n29p3WnxThZoRxaG+UqP2+FySihLYCA== /v "C:\Users\Admin\AppData\Local\Temp\b0076c13492984647498cf5ac8558ab834a8c63c87d237e1f6211f591de2a9c9.exe" /a
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
\Users\Admin\AppData\Local\Temp\n1186\s1186.exe

Filesize
220KB

MD5
e2fa37bbdada70ed09883b4f17d0c81a

SHA1
00b1035472dde2678ba7a6f0836a36bbe02e1db6

SHA256
c2e4f6c6fc33a486c8b3620446e421de374d272743efb2b9cc89f2a8ac57a850

SHA512
1ead5dfebbed040c2cfafa3da681d986a4ee9d99caa6f0571f981234a3d399586fd344ab6aa0c27c5c4bcd430293341d629cb89e62a92cd1fe8bdad2408f0631

Download Submit
memory/704-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1048-62-0x000007FEF31A0000-0x000007FEF3BC3000-memory.dmp

Filesize
10.1MB

Download
memory/1048-63-0x000007FEF2100000-0x000007FEF3196000-memory.dmp

Filesize
16.6MB

Download
memory/1048-64-0x00000000009F6000-0x0000000000A15000-memory.dmp

Filesize
124KB

Download
memory/1048-65-0x000007FEEDB40000-0x000007FEEE9CF000-memory.dmp

Filesize
14.6MB

Download
memory/1048-66-0x000007FEF1E10000-0x000007FEF20FA000-memory.dmp

Filesize
2.9MB

Download
memory/1048-67-0x00000000009F6000-0x0000000000A15000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing