77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9

General

Target

77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe
Size

17.0MB
MD5

66dba90ba013bbd38d48022ae0410da3
SHA1

e510bed76b45f09546a5fbb1d388a2dd0fb6a7cd
SHA256

77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9
SHA512

5da7ae35edf5ba86e3737edaca2943aff3eae0849dd5ec9eaa2f5f6ed82c2c3096f8cfe141f5491a52379655f742f0a8e33c260d3c328035308f96f0d19ce646
SSDEEP

393216:+yyNfjJQ9Y8p/09SOHqVrgb+f3IvwqWLYnTH6EneGYNbun86ZWkb:KNfjJ8pF9Jgb+gvX7fdYMRX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	FileUpdate.exe

Loads dropped DLL 4 IoCs

pid	Process
1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe
1928	FileUpdate.exe
1928	FileUpdate.exe
1928	FileUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27
PID 1956 wrote to memory of 1928	1956	77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe	27

C:\Users\Admin\AppData\Local\Temp\77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe
"C:\Users\Admin\AppData\Local\Temp\77a7d73ce3bfc071a983372293c605702c310e6370abfbcd7d58d38e4c41acb9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe
  "C:\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
C:\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
C:\UpdateSCGWYDJ2012TYJCFiles20171205\Update.ini

Filesize
288B

MD5
979b7fd2f9066c5dfb1d30e31f611aec

SHA1
70fe6896ce20231340f51e21c41c3b1923cdc9ee

SHA256
5db1c26a81e66add9e25fb1ac8098247c9969df80f1f988e57d83bb85cd47906

SHA512
a8c93f9315d5fbefafa316854395b1be27b9c9b8ccb632e7aa55538a2c868bf1081deccfd1141637746413b7b24950520a8306bfc128285925135c37244c6223

Download Submit
\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
\UpdateSCGWYDJ2012TYJCFiles20171205\FileUpdate.exe

Filesize
487KB

MD5
4f5eb12ace39b52a7839abd7a364b004

SHA1
39e68ba32a2ec3a2d362d57075a4bfa5d50554d8

SHA256
6cc3702d5a48f86278a6a65d5ccec67fade7ea0056535ff3b69812e1ec10bb24

SHA512
a6e8057317b8064d1b2dffc3005146c5b45168c5ab064c70978d417a6e6900c01a18365b5827f4ba0c487b42bb56df16f9ce2ef85d503c86f1af03173638894b

Download Submit
memory/1956-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing