c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241

General

Target

c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe
Size

508KB
MD5

6253183782e5238c43e139654aaaf974
SHA1

a32b560802eca919150c2a42b9e887d28c69c9aa
SHA256

c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241
SHA512

7352c67596eda9fbc091c36889792dd503d2e1d588761f427e69f8239527e6bf5be8ea14c7aa56c9fb3a3425d27ad08066660ef92976ec7e5296c30c4f7b413a
SSDEEP

6144:35jZRGjHzpeXbOO2yfwpEf7TXtmDADTyRM2/DdaqifmzNSCBj1tBl9:35jZSp2KSfwtA66EdZifQSst3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1756	ÔÈÍ ÇáÛÑÝå.exe
1340	M!C.exe

Loads dropped DLL 4 IoCs

pid	Process
1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe
1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe
1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe
1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1340	M!C.exe
1340	M!C.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	ÔÈÍ ÇáÛÑÝå.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1756	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	28
PID 1356 wrote to memory of 1756	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	28
PID 1356 wrote to memory of 1756	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	28
PID 1356 wrote to memory of 1756	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	28
PID 1356 wrote to memory of 1340	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	29
PID 1356 wrote to memory of 1340	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	29
PID 1356 wrote to memory of 1340	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	29
PID 1356 wrote to memory of 1340	1356	c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe	29
PID 1340 wrote to memory of 1204	1340	M!C.exe	15
PID 1340 wrote to memory of 1204	1340	M!C.exe	15
PID 1340 wrote to memory of 1204	1340	M!C.exe	15
PID 1340 wrote to memory of 1204	1340	M!C.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe
  "C:\Users\Admin\AppData\Local\Temp\c679a35655eaab97c4e62f87ac97f053de9cc478dcc795d84b0383b35bccf241.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\ÔÈÍ ÇáÛÑÝå.exe
    "C:\Users\Admin\AppData\Local\Temp\ÔÈÍ ÇáÛÑÝå.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\M!C.exe
    "C:\Users\Admin\AppData\Local\Temp\M!C.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M!C.exe

Filesize
241KB

MD5
f276868cb2495b7a57c73a9be3e7ac41

SHA1
c594c94a349261ea8b682e11fbd57df25725daee

SHA256
a90e87df25130c24ee781cd649e48a316e392b3e1d947f890e9f1310fca0a76b

SHA512
7a6c4ac3d97e4bebca042d1f7ef7f8146218d40f3d63c550effb04edf1730f21784b25af7e911db6b898b421506385f9c238082e24132907632674d1527cc5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\M!C.exe

Filesize
241KB

MD5
f276868cb2495b7a57c73a9be3e7ac41

SHA1
c594c94a349261ea8b682e11fbd57df25725daee

SHA256
a90e87df25130c24ee781cd649e48a316e392b3e1d947f890e9f1310fca0a76b

SHA512
7a6c4ac3d97e4bebca042d1f7ef7f8146218d40f3d63c550effb04edf1730f21784b25af7e911db6b898b421506385f9c238082e24132907632674d1527cc5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÔÈÍ ÇáÛÑÝå.exe

Filesize
232KB

MD5
bad55d7ac39dad3f82fdce3b3cda8491

SHA1
9a001ad1ec81bcbcaf17b1b5e29a781e559ab116

SHA256
07740f960d007ed4ae1189bc861476e6a19680681c48ce9979b76dd59b0a456c

SHA512
a8fc121d45c6cebb8d084f657ff79acdea801b99f3e890d19b8cf5ec41a5d7683bb1d82c7e6c6b3da1d5bc9289e6d55206c41f82d28be2d0f5759bc73d099863

Download Submit
\Users\Admin\AppData\Local\Temp\M!C.exe

Filesize
241KB

MD5
f276868cb2495b7a57c73a9be3e7ac41

SHA1
c594c94a349261ea8b682e11fbd57df25725daee

SHA256
a90e87df25130c24ee781cd649e48a316e392b3e1d947f890e9f1310fca0a76b

SHA512
7a6c4ac3d97e4bebca042d1f7ef7f8146218d40f3d63c550effb04edf1730f21784b25af7e911db6b898b421506385f9c238082e24132907632674d1527cc5f1

Download Submit
\Users\Admin\AppData\Local\Temp\M!C.exe

Filesize
241KB

MD5
f276868cb2495b7a57c73a9be3e7ac41

SHA1
c594c94a349261ea8b682e11fbd57df25725daee

SHA256
a90e87df25130c24ee781cd649e48a316e392b3e1d947f890e9f1310fca0a76b

SHA512
7a6c4ac3d97e4bebca042d1f7ef7f8146218d40f3d63c550effb04edf1730f21784b25af7e911db6b898b421506385f9c238082e24132907632674d1527cc5f1

Download Submit
\Users\Admin\AppData\Local\Temp\ÔÈÍ ÇáÛÑÝå.exe

Filesize
232KB

MD5
bad55d7ac39dad3f82fdce3b3cda8491

SHA1
9a001ad1ec81bcbcaf17b1b5e29a781e559ab116

SHA256
07740f960d007ed4ae1189bc861476e6a19680681c48ce9979b76dd59b0a456c

SHA512
a8fc121d45c6cebb8d084f657ff79acdea801b99f3e890d19b8cf5ec41a5d7683bb1d82c7e6c6b3da1d5bc9289e6d55206c41f82d28be2d0f5759bc73d099863

Download Submit
\Users\Admin\AppData\Local\Temp\ÔÈÍ ÇáÛÑÝå.exe

Filesize
232KB

MD5
bad55d7ac39dad3f82fdce3b3cda8491

SHA1
9a001ad1ec81bcbcaf17b1b5e29a781e559ab116

SHA256
07740f960d007ed4ae1189bc861476e6a19680681c48ce9979b76dd59b0a456c

SHA512
a8fc121d45c6cebb8d084f657ff79acdea801b99f3e890d19b8cf5ec41a5d7683bb1d82c7e6c6b3da1d5bc9289e6d55206c41f82d28be2d0f5759bc73d099863

Download Submit
memory/1204-72-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1340-65-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-67-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/1340-68-0x0000000001F11000-0x0000000001F15000-memory.dmp

Filesize
16KB

Download
memory/1340-69-0x00000000002D1000-0x00000000002D5000-memory.dmp

Filesize
16KB

Download
memory/1340-70-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1340-76-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

Filesize
1024KB

Download
memory/1340-75-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1340-77-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/1356-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing