0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae

General

Target

0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
Size

301KB
MD5

1d5d261a779af4678b3dc23a59d27ab4
SHA1

774c0aa0ddaf4661f6af542a47b5f5eca9033164
SHA256

0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae
SHA512

d606ef7bffd1596cf857a37c9e2fe23a43cd8cbfe09ea2198df7c97438419835118b863d9244d5d70b1c9a19c57ff7832bd5f882f1a2baca13214f29cfd61e2f
SSDEEP

1536:+FIR3qYSCWVAcLtEf7rzs5Qx5EiVESK5XLw46RY:+eR3xRcLtED8+x5ERSKybRY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
1076	BypassXtrap.exe

Loads dropped DLL 4 IoCs

pid	Process
872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1488	872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	27
PID 872 wrote to memory of 1488	872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	27
PID 872 wrote to memory of 1488	872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	27
PID 872 wrote to memory of 1488	872	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	27
PID 1488 wrote to memory of 1076	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	28
PID 1488 wrote to memory of 1076	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	28
PID 1488 wrote to memory of 1076	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	28
PID 1488 wrote to memory of 1076	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	28
PID 1488 wrote to memory of 1564	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	30
PID 1488 wrote to memory of 1564	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	30
PID 1488 wrote to memory of 1564	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	30
PID 1488 wrote to memory of 1564	1488	0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe	30

C:\Users\Admin\AppData\Local\Temp\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
"C:\Users\Admin\AppData\Local\Temp\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe
  "C:\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\BypassXtrap.exe
    "C:\Users\Admin\AppData\Local\Temp\BypassXtrap.exe"
    3⤵
    - Executes dropped EXE
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe" >> NUL
    3⤵
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BypassXtrap.exe

Filesize
46KB

MD5
1a8136e1c1cdeba7432ad84dbf6b813c

SHA1
0c4ae1bb43f474cb5773d83eaa537f9bcb0ac9ea

SHA256
18d2c9c568d7e2d9e8b43e3ab2821adb7f4c89c1bb1a4c19eb26198526036176

SHA512
efdb7fc725c269f355331fc024ff34345279557bd0ae3b5015959c1268dcd5118f5089e0ece2023c3cfbbc3a4bf24d4662256a92dfae997c6db622bec0c07e60

Download Submit
C:\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe

Filesize
301KB

MD5
1d5d261a779af4678b3dc23a59d27ab4

SHA1
774c0aa0ddaf4661f6af542a47b5f5eca9033164

SHA256
0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae

SHA512
d606ef7bffd1596cf857a37c9e2fe23a43cd8cbfe09ea2198df7c97438419835118b863d9244d5d70b1c9a19c57ff7832bd5f882f1a2baca13214f29cfd61e2f

Download Submit
\Users\Admin\AppData\Local\Temp\BypassXtrap.exe

Filesize
46KB

MD5
1a8136e1c1cdeba7432ad84dbf6b813c

SHA1
0c4ae1bb43f474cb5773d83eaa537f9bcb0ac9ea

SHA256
18d2c9c568d7e2d9e8b43e3ab2821adb7f4c89c1bb1a4c19eb26198526036176

SHA512
efdb7fc725c269f355331fc024ff34345279557bd0ae3b5015959c1268dcd5118f5089e0ece2023c3cfbbc3a4bf24d4662256a92dfae997c6db622bec0c07e60

Download Submit
\Users\Admin\AppData\Local\Temp\BypassXtrap.exe

Filesize
46KB

MD5
1a8136e1c1cdeba7432ad84dbf6b813c

SHA1
0c4ae1bb43f474cb5773d83eaa537f9bcb0ac9ea

SHA256
18d2c9c568d7e2d9e8b43e3ab2821adb7f4c89c1bb1a4c19eb26198526036176

SHA512
efdb7fc725c269f355331fc024ff34345279557bd0ae3b5015959c1268dcd5118f5089e0ece2023c3cfbbc3a4bf24d4662256a92dfae997c6db622bec0c07e60

Download Submit
\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe

Filesize
301KB

MD5
1d5d261a779af4678b3dc23a59d27ab4

SHA1
774c0aa0ddaf4661f6af542a47b5f5eca9033164

SHA256
0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae

SHA512
d606ef7bffd1596cf857a37c9e2fe23a43cd8cbfe09ea2198df7c97438419835118b863d9244d5d70b1c9a19c57ff7832bd5f882f1a2baca13214f29cfd61e2f

Download Submit
\Users\Admin\AppData\Roaming\0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae.exe

Filesize
301KB

MD5
1d5d261a779af4678b3dc23a59d27ab4

SHA1
774c0aa0ddaf4661f6af542a47b5f5eca9033164

SHA256
0a1682a42d9ad4f975596ebf6f0bf82f8b7809a48aa875d58d325357e5f582ae

SHA512
d606ef7bffd1596cf857a37c9e2fe23a43cd8cbfe09ea2198df7c97438419835118b863d9244d5d70b1c9a19c57ff7832bd5f882f1a2baca13214f29cfd61e2f

Download Submit
memory/872-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/872-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1076-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1076-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1488-67-0x00000000035A0000-0x00000000035DF000-memory.dmp

Filesize
252KB

Download
memory/1488-69-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1488-66-0x00000000035A0000-0x00000000035DF000-memory.dmp

Filesize
252KB

Download
memory/1488-73-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing