d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3

General

Target

d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe
Size

1.2MB
MD5

a35fd7ad78f8335a08977bf2fa450caa
SHA1

a4cf4c3d5db71b2437bd2a970f61a14aad44b779
SHA256

d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3
SHA512

9c2cdbe779829b654c02b347dd73defcb95e639e58c9202f3b07652cf3ee30dde64ce4913dd0022313ea74b44dbb26c78a266a11882687b56b756721d15a717b
SSDEEP

24576:u744EegyW6PjBhnKb1Bpnbnn7p3lh9xDWMxFz7SyRwQxKanQ0+upXLwfH:ukXeVd9RKfhXhqMLb24M3EU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	thalita.exe

Loads dropped DLL 2 IoCs

pid	Process
284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe
284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe
2004	thalita.exe
2004	thalita.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1892	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 2004	284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe	27
PID 284 wrote to memory of 2004	284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe	27
PID 284 wrote to memory of 2004	284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe	27
PID 284 wrote to memory of 2004	284	d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe	27
PID 2004 wrote to memory of 1416	2004	thalita.exe	15
PID 2004 wrote to memory of 1416	2004	thalita.exe	15
PID 2004 wrote to memory of 1416	2004	thalita.exe	15
PID 2004 wrote to memory of 1416	2004	thalita.exe	15
PID 2004 wrote to memory of 1416	2004	thalita.exe	15
PID 2004 wrote to memory of 1416	2004	thalita.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe
  "C:\Users\Admin\AppData\Local\Temp\d8d3464d5f98aee3f5d12568860d9dd13151ff10c78324211bbd6d8fead150c3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Users\Admin\AppData\Local\Temp\thalita.exe
    "C:\Users\Admin\AppData\Local\Temp\thalita.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2004

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OgAAALzSDJDvASXPWqEqmIIc6YoaNl1sd0VQH3DQS0g_p6weNFdQcm6ZQpyfEB8uqrfgoJEkb2iYilZL_UFI5JxVkmEAm1T1UHNSv3qJ6AcCXM6br2DKQgCrmiZB.jpg

Filesize
57KB

MD5
864b8ed615ac585ab92c6ff9e3e9882d

SHA1
9b768e9d5f69398193d4f640944892b54933854b

SHA256
d77365f197f106dcd2189dd42260cf8af5e7cd28ec04289992ff9d265eb95f7f

SHA512
f520253f30079f784c72cb8da6f1e4b135c23ef3bc32daf96745c9ebe5a2d18cc160c6708b4b12540f46e140fc927bef0ec9f53288292328cc5dd238a1c1e1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\thalita.exe

Filesize
50KB

MD5
1fc6ff9ee3c31cd41f96d2172d0defde

SHA1
8ad942905e8f1845f8c0e1d90896380832af396d

SHA256
f734c3d1fa6781a7e6e28d91b0c1197096bc77000b05a0997f6a91d24ec3a27d

SHA512
4d6a4d076d9b1b7c7df2584fe375dbecbb884e285bb55527afccbd5c4a63a63e4441bc26ebac057776a001de917126993708012c555eec989b9ad295ab11f852

Download Submit
C:\Users\Admin\AppData\Local\Temp\thalita.exe

Filesize
50KB

MD5
1fc6ff9ee3c31cd41f96d2172d0defde

SHA1
8ad942905e8f1845f8c0e1d90896380832af396d

SHA256
f734c3d1fa6781a7e6e28d91b0c1197096bc77000b05a0997f6a91d24ec3a27d

SHA512
4d6a4d076d9b1b7c7df2584fe375dbecbb884e285bb55527afccbd5c4a63a63e4441bc26ebac057776a001de917126993708012c555eec989b9ad295ab11f852

Download Submit
\Users\Admin\AppData\Local\Temp\thalita.exe

Filesize
50KB

MD5
1fc6ff9ee3c31cd41f96d2172d0defde

SHA1
8ad942905e8f1845f8c0e1d90896380832af396d

SHA256
f734c3d1fa6781a7e6e28d91b0c1197096bc77000b05a0997f6a91d24ec3a27d

SHA512
4d6a4d076d9b1b7c7df2584fe375dbecbb884e285bb55527afccbd5c4a63a63e4441bc26ebac057776a001de917126993708012c555eec989b9ad295ab11f852

Download Submit
\Users\Admin\AppData\Local\Temp\thalita.exe

Filesize
50KB

MD5
1fc6ff9ee3c31cd41f96d2172d0defde

SHA1
8ad942905e8f1845f8c0e1d90896380832af396d

SHA256
f734c3d1fa6781a7e6e28d91b0c1197096bc77000b05a0997f6a91d24ec3a27d

SHA512
4d6a4d076d9b1b7c7df2584fe375dbecbb884e285bb55527afccbd5c4a63a63e4441bc26ebac057776a001de917126993708012c555eec989b9ad295ab11f852

Download Submit
memory/284-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/284-57-0x0000000000660000-0x000000000073F000-memory.dmp

Filesize
892KB

Download
memory/1416-67-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/2004-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2004-66-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing