c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50

General

Target

c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe
Size

146KB
MD5

0cc00c7a3e291a5d7fa675836bc72467
SHA1

2626228708b77bd3de28c0d1677001c1f08ae04d
SHA256

c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50
SHA512

82b38a8f6e5bd68bc110893dca2da8d632c10b69b6efa79717dc29161f19ee2021591dbb9357fa2336fc950e6fe290c832754ea453026e64cff12d4a6b5b6c6e
SSDEEP

3072:b1dlKwgj23+Oz05YoNoz+YUFrdXuC72N4Mia9Ib2IUfAAW:b1dlZro5yU3yuMf6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe
1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	server.exe
1948	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1948	1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	26
PID 1612 wrote to memory of 1948	1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	26
PID 1612 wrote to memory of 1948	1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	26
PID 1612 wrote to memory of 1948	1612	c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe	26
PID 1948 wrote to memory of 1356	1948	server.exe	11
PID 1948 wrote to memory of 1356	1948	server.exe	11
PID 1948 wrote to memory of 1356	1948	server.exe	11
PID 1948 wrote to memory of 1356	1948	server.exe	11
PID 1948 wrote to memory of 1356	1948	server.exe	11
PID 1948 wrote to memory of 1356	1948	server.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe
  "C:\Users\Admin\AppData\Local\Temp\c1e0b53dfeedd9bda17fb331feee5e001f650fa13d1304f4bf5fbc87b5611c50.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1948

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\394959_196467910443352_100002404341450_394854_665012508_n.jpg

Filesize
21KB

MD5
3f1fe4a23b26b5889ae073a6931d1c40

SHA1
b9b8423216a14d0184e3dd90abe71f23bc65abe7

SHA256
644b37108689d09af37370ac8c80991a1cbe13d4a212f6ab4e6986092bf11452

SHA512
4ab5223686a84c7c0e5e1731b3001240afa13da79384f9299bc31788ba51a44e3bdf1a616d7a40413732f3953748f10096d2cff179444794487f2af08cf27d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
28KB

MD5
051962ed139b40cfb0df9eb6e2472614

SHA1
f06ccb91bc5c9286d1fde8d157e9ef717ec57397

SHA256
2e94ec0996603c6daa4a966e7899c0f72e07283087eaf85653031cf22c129014

SHA512
46404da469d82b8821e7a6f428956e4c57342ec9b4a8ed87c7341034e6e58647e622b086cfa7960edb1d7c71a6b9d73947c64e9ba55456f10a607470bf12934a

Download Submit
memory/1356-62-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-56-0x0000000003290000-0x0000000003299000-memory.dmp

Filesize
36KB

Download
memory/1612-65-0x0000000003290000-0x0000000003299000-memory.dmp

Filesize
36KB

Download
memory/1948-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-67-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing