eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5

General

Target

eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe
Size

252KB
MD5

092942560c7a576438c879e43d06aac0
SHA1

f83160f825d02cd201e97d1ff67760ae78bdcc82
SHA256

eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5
SHA512

e3ca001bd053a88481740f1fde473d8afe53a29aed5e70b2042308b799d0f07017c9676f324a0e0f7d67b3f0929d59d90aba07c337e8b14e4b3050ea41fb09bb
SSDEEP

3072:tp7jNS6SZVOj+L0MNdoHp920QC5D2/g4DoOvaePcqN:t1+L3doJU0LZIHE

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22
PID 856 wrote to memory of 884	856	eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe	22

C:\Users\Admin\AppData\Local\Temp\eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe
"C:\Users\Admin\AppData\Local\Temp\eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe
  "C:\Users\Admin\AppData\Local\Temp\eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe"
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Roaming\Host.exe
    "C:\Users\Admin\AppData\Roaming\Host.exe" -m C:\Users\Admin\AppData\Local\Temp\eba0423cf90cfc60111930c9ecdd8386ce35bd55fd6e630aca88294eb95af0b5.exe
    3⤵
    PID:2044

C:\Users\Admin\AppData\Roaming\Host.exe
"C:\Users\Admin\AppData\Roaming\Host.exe"
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Host.exe

Filesize
13KB

MD5
5f90f46ad499095c97f04ae93dd4ba78

SHA1
aa2dee7e7a950c5c933e4d1c32c61def62d745fd

SHA256
91ec529016326bd3a65d57ec3116c067b329d45d5f24c49bc04cce4eac7b4afa

SHA512
e59b8b980ed9ab494be22a2660e5dcae83915a1b44ad5252905b7c84f554998570e7dc8970bfad404809164fcc6dedb84145d002f5ce9c19289b58fc6d59fd9c

Download Submit
C:\Users\Admin\AppData\Roaming\Host.exe

Filesize
25KB

MD5
d86a49212fe00ae1cf434cb7fa8d53bc

SHA1
31a981a9134574ad8def6ce35c4d40592af1102a

SHA256
feda1b1e3ce0fbc2fdfc280a759ca017dbd65d793f48fcbff0b8fa1fbf3d6cdd

SHA512
a075632c077aed8ec0b0022275c58ccd17ad584dacd64d081a29a93a2e265af0313f4b1f286f679f039bb9818a0c3615b3662319122ace7d3174d809a209e42d

Download Submit
C:\Users\Admin\AppData\Roaming\Host.exe

Filesize
13KB

MD5
6e51f217d1610f37aadec4ae0aae99a0

SHA1
ce7c7e8476e9727f80417f40e090a38837abb899

SHA256
d85665a45d97348db1280f876bf59b4bc3fd4b353d03d76ea8a0f8ee3518a9de

SHA512
f92b2f89031f58d4dcb05a95b2b41a2af8010b5aec0dd332743fde7a55236e44f027f6496f082bf5175926ab5afd6f0125711aaa00da4159b1c937d005fa90eb

Download Submit
\Users\Admin\AppData\Roaming\Host.exe

Filesize
41KB

MD5
ae990a2d110e070478a7070313f3ca0e

SHA1
09b01566c287b22447fa9291a777d2d55b38c9b7

SHA256
883ccd006e85eb22bf52483bd96f0d3618c43843fc7a098866b7aa6f9c40d02b

SHA512
c76c7359cf002be38feedd8bf94f6c6a5c40e045791f6c5848ac604a64313e8941dc0fd2c7d17b36b881365f805dbb225463a46ff9cf1fe9f569d89c0e365578

Download Submit
\Users\Admin\AppData\Roaming\Host.exe

Filesize
30KB

MD5
6474a8f482c1682c59e288b21ffb6280

SHA1
1a6b165ee6bc388a00849820e44512ff49140382

SHA256
01348151fc20883c4f6fb3b6dcd325a3e9056c6066b71a558e49b810c17e8193

SHA512
09e18eda3981381d956fc86024c107e82d238518b93e3499d2cc9e2ffbbed8b3ec51b2b110a7cf08bffc1ec357cb36fb78bf8a54904f04b99a170df944eafcb1

Download Submit
memory/884-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/884-67-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/884-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1992-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing