5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

General

Target

5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
Size

207KB
MD5

9018ab3b119bc184db5e6ff7e2c3e710
SHA1

5aeb42974058129afdde14bf4c2374b45394d0ff
SHA256

5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71
SHA512

f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962
SSDEEP

3072:FPWzTT9t3EuU/t7YFguAfbXTjTvxGz6bnIKq63cHPIB:FOvT/UD/x73bXTjTvxGz6bnIKovIB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1968	Services.exe
1984	System Idle Processes.exe

Deletes itself 1 IoCs

pid	Process
1968	Services.exe

Loads dropped DLL 2 IoCs

pid	Process
908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
1968	Services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1968	Services.exe
1984	System Idle Processes.exe
1968	Services.exe
1984	System Idle Processes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Services.exe
Token: SeDebugPrivilege	1984	System Idle Processes.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
1968	Services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1968	Services.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 908 wrote to memory of 1968	908	5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe	27
PID 1968 wrote to memory of 1984	1968	Services.exe	28
PID 1968 wrote to memory of 1984	1968	Services.exe	28
PID 1968 wrote to memory of 1984	1968	Services.exe	28
PID 1968 wrote to memory of 1984	1968	Services.exe	28

C:\Users\Admin\AppData\Local\Temp\5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe
"C:\Users\Admin\AppData\Local\Temp\5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
102B

MD5
05429069b75363e69356a70c3770dc89

SHA1
f5183cfe912990a25519dcf7d79de19acf5657c7

SHA256
667c6db11bb025ca540886342d25a04496ab8d2c311a4bb9c5964cb72bd66242

SHA512
b9d9d42e2a2a1f29fb652e133ac1ccff4a3e79482d8899a68135dc06f4ab0ee7cd20a7a3eb342e3117a3ce5d83f563fe73b80635c0093021b8ff4f19f45b878e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe

Filesize
207KB

MD5
9018ab3b119bc184db5e6ff7e2c3e710

SHA1
5aeb42974058129afdde14bf4c2374b45394d0ff

SHA256
5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

SHA512
f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Services.exe

Filesize
207KB

MD5
9018ab3b119bc184db5e6ff7e2c3e710

SHA1
5aeb42974058129afdde14bf4c2374b45394d0ff

SHA256
5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

SHA512
f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe

Filesize
24KB

MD5
92ce7fb80c508354e5e88fdb6ba6d957

SHA1
c816b6cf0ae62385f6a16696eca2307871e9768d

SHA256
70e66964ddf9b89b7d95e6a30789a3a9aeaa172c238ebbaf289ce8bb7228d44b

SHA512
7a8bccea734b5439e61fcd293fb15573ebd507ce77ae886ff700559074ca76df33ba0c209475055a23f913b767cbcde62c13afd30c9a386ed2c17eec09819b60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe

Filesize
24KB

MD5
92ce7fb80c508354e5e88fdb6ba6d957

SHA1
c816b6cf0ae62385f6a16696eca2307871e9768d

SHA256
70e66964ddf9b89b7d95e6a30789a3a9aeaa172c238ebbaf289ce8bb7228d44b

SHA512
7a8bccea734b5439e61fcd293fb15573ebd507ce77ae886ff700559074ca76df33ba0c209475055a23f913b767cbcde62c13afd30c9a386ed2c17eec09819b60

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Services.exe

Filesize
207KB

MD5
9018ab3b119bc184db5e6ff7e2c3e710

SHA1
5aeb42974058129afdde14bf4c2374b45394d0ff

SHA256
5d62881376fec05d7f05549220420431e960d8ea4f86fafe65089d3f5151ce71

SHA512
f700e3b8dc4d97be8e17dce718972dc17f33ad749fb932677591f83de769cedf7024c981d1e773c9354a283b8e2d7be947a26dec956357041856039b5cc16962

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\System Idle Processes.exe

Filesize
24KB

MD5
92ce7fb80c508354e5e88fdb6ba6d957

SHA1
c816b6cf0ae62385f6a16696eca2307871e9768d

SHA256
70e66964ddf9b89b7d95e6a30789a3a9aeaa172c238ebbaf289ce8bb7228d44b

SHA512
7a8bccea734b5439e61fcd293fb15573ebd507ce77ae886ff700559074ca76df33ba0c209475055a23f913b767cbcde62c13afd30c9a386ed2c17eec09819b60

Download Submit
memory/908-63-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/908-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/908-55-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-62-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-65-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-71-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-72-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing