6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b

General

Target

6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe
Size

148KB
MD5

60097d78b0b4e566099f115ba4258b09
SHA1

2ae031bf261efda6ddc41d1f328b59e66e87c3a9
SHA256

6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b
SHA512

dd0520534f2bbadd645e7fcbf92a55713f26428fbec34d094095ce6d5c24c84afa35ed4ca9fe391b68e068a54c898e3578d31fd2fbeed9cc6d788425abb0b7d4
SSDEEP

3072:867ujHo5TeowSj6c0EOlavl+rB3BfS8dOo:86qjI5TZLjcEOQvlovK8dOo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1604	WcxG2PFxN88niE2.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
820	cmd.exe
820	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 820	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	27
PID 1300 wrote to memory of 820	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	27
PID 1300 wrote to memory of 820	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	27
PID 1300 wrote to memory of 820	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	27
PID 1300 wrote to memory of 1608	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	29
PID 1300 wrote to memory of 1608	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	29
PID 1300 wrote to memory of 1608	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	29
PID 1300 wrote to memory of 1608	1300	6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe	29
PID 820 wrote to memory of 1604	820	cmd.exe	31
PID 820 wrote to memory of 1604	820	cmd.exe	31
PID 820 wrote to memory of 1604	820	cmd.exe	31
PID 820 wrote to memory of 1604	820	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe
"C:\Users\Admin\AppData\Local\Temp\6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe
    "C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe"
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe.bat" "
  2⤵
  - Deletes itself
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6efdaec1d498bab7cb960066b8aa4516678bc6cdde5874f50c8a5c3f0192994b.exe.bat

Filesize
525B

MD5
20e15bcae79c366708bc8d47897d535a

SHA1
f05183d60140d4875f0717bc200f596e0b31354d

SHA256
59829c85ffa3a80a827215f394c6d03eb9358a82e2d9e1e6606bcef06bcdba6e

SHA512
df7bcb5b90178df437bf7f3e1dcb2c6db1bf76d9061e2e0bfb4795bd1e8cb891b2062f9cb077d59b3430ca5c85568a031f715378e23bedfb544783fd295e66b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe

Filesize
111KB

MD5
f0711f119c13d4ac131dadc1a10e1e73

SHA1
5add269200c12afc9cebc063db952e93ebc96118

SHA256
b81844f5eb896ae494b06c90cb2fe57e4f546cfac1c8ff367c38e66bdf2872d6

SHA512
7e3bbef2ca3efc9fe324f89e61649c8e5249f04ae505a12e93d074a6074e9313fd106768d917ce961f49d08c0f16162094be49977e431a2913b28aee34c3e814

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe

Filesize
111KB

MD5
f0711f119c13d4ac131dadc1a10e1e73

SHA1
5add269200c12afc9cebc063db952e93ebc96118

SHA256
b81844f5eb896ae494b06c90cb2fe57e4f546cfac1c8ff367c38e66bdf2872d6

SHA512
7e3bbef2ca3efc9fe324f89e61649c8e5249f04ae505a12e93d074a6074e9313fd106768d917ce961f49d08c0f16162094be49977e431a2913b28aee34c3e814

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe.bat

Filesize
207B

MD5
1c29953850bec03428d8dae06365064d

SHA1
8eb33b34790d8f4c63d60bc43956bfe1b68d5649

SHA256
7ff0677d4d487a47e8492f7d810ac589a53356e06112376ea78616d1d973921d

SHA512
1e9778f605a3d74ee2aa45ce90d72ec3788321ddf1e7d4d0a0c726dd3faee7786e2bea9a6b997a12ccd967c237e8c0d8c17c36aea3a1b3d6093fe14776e4cb90

Download Submit
\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe

Filesize
111KB

MD5
f0711f119c13d4ac131dadc1a10e1e73

SHA1
5add269200c12afc9cebc063db952e93ebc96118

SHA256
b81844f5eb896ae494b06c90cb2fe57e4f546cfac1c8ff367c38e66bdf2872d6

SHA512
7e3bbef2ca3efc9fe324f89e61649c8e5249f04ae505a12e93d074a6074e9313fd106768d917ce961f49d08c0f16162094be49977e431a2913b28aee34c3e814

Download Submit
\Users\Admin\AppData\Local\Temp\WcxG2PFxN88niE2.exe

Filesize
111KB

MD5
f0711f119c13d4ac131dadc1a10e1e73

SHA1
5add269200c12afc9cebc063db952e93ebc96118

SHA256
b81844f5eb896ae494b06c90cb2fe57e4f546cfac1c8ff367c38e66bdf2872d6

SHA512
7e3bbef2ca3efc9fe324f89e61649c8e5249f04ae505a12e93d074a6074e9313fd106768d917ce961f49d08c0f16162094be49977e431a2913b28aee34c3e814

Download Submit
memory/820-55-0x0000000000000000-mapping.dmp

Download
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1604-61-0x0000000000000000-mapping.dmp

Download
memory/1608-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing