ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404

General

Target

ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
Size

541KB
MD5

6f9f866ff6a695ce7640b1f0ec6a5dc0
SHA1

f0cc35e88d8ebe442d9595ea38ed5da7f5a31775
SHA256

ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404
SHA512

e757b09bddbc5fbc444b7e276456f42b9850c26ac1e5a0430d8492c3b177e1a4877c5bda32940f62a4cc1bd9d7dbb34817913f97bf6ef13e50af04afa3edbcdc
SSDEEP

12288:tVOQcNRBIcArtmiwHnp8neREpu2fR4Z0u19M/:tA7B85wHpueupu2fR7uTM/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1796	setup.exe

Loads dropped DLL 5 IoCs

pid	Process
1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1796	setup.exe
1796	setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1796	1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe	31
PID 1264 wrote to memory of 1796	1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe	31
PID 1264 wrote to memory of 1796	1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe	31
PID 1264 wrote to memory of 1796	1264	ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe	31

C:\Users\Admin\AppData\Local\Temp\ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe
"C:\Users\Admin\AppData\Local\Temp\ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\DM\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\DM\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\parent.txt

Filesize
541KB

MD5
6f9f866ff6a695ce7640b1f0ec6a5dc0

SHA1
f0cc35e88d8ebe442d9595ea38ed5da7f5a31775

SHA256
ca473f54bd4c34ea40e7e662b9449a9d85b7e844010dad2edf3b9325adad2404

SHA512
e757b09bddbc5fbc444b7e276456f42b9850c26ac1e5a0430d8492c3b177e1a4877c5bda32940f62a4cc1bd9d7dbb34817913f97bf6ef13e50af04afa3edbcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
\Users\Admin\AppData\Local\Temp\DM\setup.exe

Filesize
102KB

MD5
852ebf2750ec8c606b154d8464f91ac7

SHA1
3f255de0a82ae831e0d580d5805a968609ccdc08

SHA256
ae11ceb850659751fc95152696ccd8e4bbaa2908fcd5769651acd965a87d69f6

SHA512
7845a8c417f002df013290d9a1beeb41b165051337d7a5443dc0089003cab2fe7990d41345f1077a300689b75bfd07c5689f0f65ef0d06eba6777d242653820f

Download Submit
memory/1264-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1796-62-0x000007FEF4A00000-0x000007FEF5423000-memory.dmp

Filesize
10.1MB

Download
memory/1796-63-0x000007FEF3720000-0x000007FEF47B6000-memory.dmp

Filesize
16.6MB

Download
memory/1796-64-0x000007FEFC581000-0x000007FEFC583000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing