adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781

General

Target

adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe
Size

1.3MB
MD5

8cec3e49bb13bb3cbd33b77b03f5bd16
SHA1

a5cb1f70bb89e4540601cfdbdf2c6928c7ce5104
SHA256

adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781
SHA512

9097a84841d59ca5f93cbe5a0892d5f4c9b2fcc539796674cab8bc928882ed36e4e6ead2c651ba0f3480997b8b92d2502c18d154d77e8452e4b4df4f6e20e10d
SSDEEP

24576:z6fOydJf45+I8Zb8A0/PXlVZmRf2hT9Q3rK2PBXZrOxDe+/VjWN5uHn69lZO:+GMJf4A5bifrA89QW2pYxD71WHuH69lA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1152	Stp364D_TMP.EXE
940	is-SJF5V.tmp

Loads dropped DLL 4 IoCs

pid	Process
848	adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe
1152	Stp364D_TMP.EXE
940	is-SJF5V.tmp
940	is-SJF5V.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1152	848	adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe	27
PID 848 wrote to memory of 1152	848	adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe	27
PID 848 wrote to memory of 1152	848	adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe	27
PID 848 wrote to memory of 1152	848	adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe	27
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28
PID 1152 wrote to memory of 940	1152	Stp364D_TMP.EXE	28

C:\Users\Admin\AppData\Local\Temp\adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe
"C:\Users\Admin\AppData\Local\Temp\adbeccc2a29d03fe14604ba405182f53aed7768916fc574e172b015361047781.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Local\Temp\is-6M3LF.tmp\is-SJF5V.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6M3LF.tmp\is-SJF5V.tmp" /SL4 $60122 "C:\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE" 1038935 51200
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE

Filesize
1.2MB

MD5
1c6bb22f6f6292bcfb8e4eeae529ba1a

SHA1
e3f7cc43c945854f4052ee4e68bc2272441d2f39

SHA256
634da619eb9542098d63883362cc641bd86c57b8505fa1d2cf7379cc435cfa1e

SHA512
5c32fda3635014b8d1b893d5c500a04a875634b174db1d3d78ac8904e13578d0364284569c5ddb3b76024c538a9c590d74caeb2beec3769a02f448005bd6c467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE

Filesize
1.2MB

MD5
1c6bb22f6f6292bcfb8e4eeae529ba1a

SHA1
e3f7cc43c945854f4052ee4e68bc2272441d2f39

SHA256
634da619eb9542098d63883362cc641bd86c57b8505fa1d2cf7379cc435cfa1e

SHA512
5c32fda3635014b8d1b893d5c500a04a875634b174db1d3d78ac8904e13578d0364284569c5ddb3b76024c538a9c590d74caeb2beec3769a02f448005bd6c467

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6M3LF.tmp\is-SJF5V.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6M3LF.tmp\is-SJF5V.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
\Users\Admin\AppData\Local\Temp\Stp364D_TMP.EXE

Filesize
1.2MB

MD5
1c6bb22f6f6292bcfb8e4eeae529ba1a

SHA1
e3f7cc43c945854f4052ee4e68bc2272441d2f39

SHA256
634da619eb9542098d63883362cc641bd86c57b8505fa1d2cf7379cc435cfa1e

SHA512
5c32fda3635014b8d1b893d5c500a04a875634b174db1d3d78ac8904e13578d0364284569c5ddb3b76024c538a9c590d74caeb2beec3769a02f448005bd6c467

Download Submit
\Users\Admin\AppData\Local\Temp\is-6M3LF.tmp\is-SJF5V.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
\Users\Admin\AppData\Local\Temp\is-DE477.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DE477.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1152-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1152-57-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1152-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing