fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058

General

Target

fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Size

758KB
MD5

0f3908deb86e1b032f6bd63f58047050
SHA1

5a22c9a7c71bf674badff39e030a0966aa845522
SHA256

fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058
SHA512

181667fe7f14f4520652367b1c9f48703667f772189b91c5e772ad5704480c18747e011ae4be4263bd34107fd667e600e9256d0735b763c46f4467c1bd5746ec
SSDEEP

12288:mnBVIQFhgk33Y65TbWeFdPSM6c85pnkhEi1q86yrsmyPI/EXcEYZf6IWAuhbSjyi:IBnhgkjTnK/T5pkls7yDEXzYd9WThAyi

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\K:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\L:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\M:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\O:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\R:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\T:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\U:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\W:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\G:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\H:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\Y:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\Z:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\E:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\F:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\J:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\N:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\P:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\Q:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\S:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\V:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
File opened (read-only)	\??\X:	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000067559239100054656d7000003a0009000400efbe21550a58675592392e00000093e10100000001000000000000000000000000000000e6b72001540065006d007000000014000000	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000002155fc5a10004c6f63616c003c0009000400efbe21550a58675594392e00000092e10100000001000000000000000000000000000000a64ac5004c006f00630061006c00000014000000	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000021550a58120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe21550a58675594392e0000007fe101000000010000000000000000000000000000008909d9004100700070004400610074006100000042000000	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5048	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5048	fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe

C:\Users\Admin\AppData\Local\Temp\fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe
"C:\Users\Admin\AppData\Local\Temp\fb245420e62dbf9280b3190ca48306bf7b0557730f49131afb0ec7e280fd9058.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5048-132-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/5048-134-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download
memory/5048-135-0x0000000000400000-0x00000000005EF000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing