7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab

General

Target

7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
Size

144KB
MD5

0c365cba15e598862209111406bf7f60
SHA1

dccffca85d86b48c87211535f829af04b08f9658
SHA256

7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab
SHA512

457c4dd0c0192b31e5e4cf8c61004fea6aa80a4e6dfc404cbd47ee25780dc422ca1c070e9f08f6439bd59c9cbe7e2fb4066921d4213c4dae797ab9f30cd7be57
SSDEEP

3072:1PX9R7EBKmMDhrrWjB5HRdo8g0Ec0p6LzgP+QiS:FNR7EBKPNr40/pUzu+

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

description	pid	process	target process
PID 1760 set thread context of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

pid process

1760 7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

pid	process
1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

description	pid	process	target process
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
PID 1760 wrote to memory of 1824	1760	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe	7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe

C:\Users\Admin\AppData\Local\Temp\7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
"C:\Users\Admin\AppData\Local\Temp\7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe
"C:\Users\Admin\AppData\Local\Temp\7f0d8248f9ab9ce3c044d67a677c85cf421a086da32d9756784fc820596f14ab.exe"
2⤵
PID:1824

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
PID:1488

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
30KB

MD5
e364abfc2b7403fa7e990770a65d9100

SHA1
4a2187ae7128c194de3e1fce8fcc3369116e59c6

SHA256
fec03a8dd17e4417e0915717f0712c777f6e4b92dc2f77b8b95c2002e4211ca5

SHA512
c5ec37b4198f588c6ac4a3d1237e76619c0d9e075112d148f6efb41bfad61a0a04ccaad71ba85aeddbf6108cf74b6f19eb6c10ac7f3fae58f4861670a56981d9

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
35KB

MD5
9b3f46e2cd39e53639222aa51e2ba725

SHA1
f8ab16f40cc24fc4495962b1dd627a6c056538da

SHA256
cc3a11ff9ebc288d515ed1475e9019bf68ca83654d66b66772e69f0be79db7b1

SHA512
058b74daee39a08531ebdf00a38be1fdd779dc4968c9eff8faf92102b3a3b28fc4c64afc00a18a487a44cedd3881a485a140a1999188ff0a739d9502f2de2d01

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
28KB

MD5
63d91575b05560fc97f08e762d78e077

SHA1
e17d3ca5670cde59bcd661e23c85f6b7a715a4bf

SHA256
a3444abf18353d1665092ec6c07e4ed65db789187dcfa968ab16f7cd240890d9

SHA512
183d132af3a2712d27f8e349f3fc3a98786ff235d8c16bd44b1d5f64d4d1b861975a85f693b8700aaf1d2e35f593070bfe665822e644cf5865d491749f1846ab

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
21KB

MD5
0267964709300e63cd5d9ae3721bb52b

SHA1
36d85fbd0d3f17deb73ea508ec320ac0950a0df4

SHA256
af16d47ef86d405af347f4145b1f08aa63b51a262210289b614a65fee216938f

SHA512
2a3a665c2946f95bf8733744cdb8a28065f9265acf192ab478c4e88ec5a03e322b4f4aaf890d41b351e8807df07d83f1bbac411bd708ebacce802c7a470d9191

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
33KB

MD5
63ecd1cb4f5775c4e7029d83e40c23e2

SHA1
c4cba44fcf36d88d9dd14529726c5e9c93272b93

SHA256
d0e72ef4dc358e816e842d1d7c49daecde6b9e3d52e619122639a8524fbe707e

SHA512
7f5eb19d084fc9949d245cb048dfdcfb7ac77812d75b35174e5a50ddbabdb703af6c67d48bf8f747380d669e34a0e68e6ed54cb471f07ab798abe669daed7790

Download Submit
memory/820-79-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/820-73-0x0000000000401FEC-mapping.dmp

Download
memory/820-78-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1488-66-0x0000000000000000-mapping.dmp

Download
memory/1488-70-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1488-76-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1760-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1760-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1824-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-58-0x0000000000401FEC-mapping.dmp

Download
memory/1824-60-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1824-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing