5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

General

Target

5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe
Size

866KB
MD5

24e8071ecf5c1674bb5d27237fb79a16
SHA1

acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50
SHA256

5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f
SHA512

d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8
SSDEEP

24576:bRF2i9uZvK+IdpAmdDiIP/3RUVoFtzHZ0:KioK+7UvP/RxR0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	03005109.exe

Deletes itself 1 IoCs

pid	Process
1292	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	cmd.exe
1756	cmd.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\03005109 = "C:\\ProgramData\\03005109\\03005109.exe"	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	03005109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\03005109 = "C:\\PROGRA~3\\03005109\\03005109.exe"	03005109.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1124	03005109.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe
1124	03005109.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1292	1940	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe	27
PID 1940 wrote to memory of 1292	1940	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe	27
PID 1940 wrote to memory of 1292	1940	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe	27
PID 1940 wrote to memory of 1292	1940	5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe	27
PID 1292 wrote to memory of 1756	1292	cmd.exe	29
PID 1292 wrote to memory of 1756	1292	cmd.exe	29
PID 1292 wrote to memory of 1756	1292	cmd.exe	29
PID 1292 wrote to memory of 1756	1292	cmd.exe	29
PID 1756 wrote to memory of 1124	1756	cmd.exe	30
PID 1756 wrote to memory of 1124	1756	cmd.exe	30
PID 1756 wrote to memory of 1124	1756	cmd.exe	30
PID 1756 wrote to memory of 1124	1756	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe
"C:\Users\Admin\AppData\Local\Temp\5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\03005109\03005109.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\03005109\03005109.exe /i
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\PROGRA~3\03005109\03005109.exe
      C:\PROGRA~3\03005109\03005109.exe /i
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
C:\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
C:\ProgramData\03005109\03005109.bat

Filesize
230B

MD5
cf0845bd542b356dee3f4f3743c0e276

SHA1
c68741052ebb92e1082960ec132f87773d8414a2

SHA256
bf4a143c76fc37f586403ee51d73c4483274308816f951cd044393dbe26da012

SHA512
bd6b9a5e612dd9091ef2a41082bc1e2679def7dbba85428dc82b14f96cfc8b329307db464c8706557bb5ac3903961a09299a403152692df7d06a81b0f64bc2ac

Download Submit
\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
\PROGRA~3\03005109\03005109.exe

Filesize
866KB

MD5
24e8071ecf5c1674bb5d27237fb79a16

SHA1
acccab3d7e8e5fe98267f3b84c0b2cb38f8d5b50

SHA256
5fac647b5a4bf484838e0e00f40db252d1da3a8c6e5c8c9843c219eb2c90ef6f

SHA512
d8b91706b1f636b0336644501428963a1d9ee660bf6975523ed0de8bff6b918fb7b89b814c4efebdf20039cf27b65bcdd23a0bfbf63308a085b18b4902a621d8

Download Submit
memory/1124-63-0x0000000000000000-mapping.dmp

Download
memory/1124-67-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1124-68-0x0000000000753000-0x0000000000756000-memory.dmp

Filesize
12KB

Download
memory/1124-71-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1124-72-0x0000000000753000-0x0000000000756000-memory.dmp

Filesize
12KB

Download
memory/1292-55-0x0000000000000000-mapping.dmp

Download
memory/1756-59-0x0000000000000000-mapping.dmp

Download
memory/1940-56-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1940-57-0x00000000006A3000-0x00000000006A6000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing