63c23656725123663ad53c1a11d7903e4ab16f64b8f7c3f07549096f73c662ca

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

844KB
MD5

b7387aa0121466b220accc3958e77aa4
SHA1

3d8cc4e3eee7927e6351dff9260d6b96031bf8f1
SHA256

63c23656725123663ad53c1a11d7903e4ab16f64b8f7c3f07549096f73c662ca
SHA512

7fbef4a185103d359bc3d2d481f3150381bc8d160693fdbd88463ee9b67935f963fe21911040e053c1abe86b97bd2574105238243b344062fce9e1b1dcb82032
SSDEEP

3072:uAyOsrbjywCO2/IEeI88VJtMCQUT4bOkLv21HL2bw/ZBeFZyea4aOQ0i2ogl8y7b:uAQb7jI88jtfQUTQbRoT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
900	Adobe.exe
624	Adobe.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	Trojan-Ransom.Win32.Blocker.exe
1368	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 624	900	Adobe.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1368	Trojan-Ransom.Win32.Blocker.exe
900	Adobe.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 900	1368	Trojan-Ransom.Win32.Blocker.exe	27
PID 1368 wrote to memory of 900	1368	Trojan-Ransom.Win32.Blocker.exe	27
PID 1368 wrote to memory of 900	1368	Trojan-Ransom.Win32.Blocker.exe	27
PID 1368 wrote to memory of 900	1368	Trojan-Ransom.Win32.Blocker.exe	27
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28
PID 900 wrote to memory of 624	900	Adobe.exe	28

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Roaming\Adobe.exe
  "C:\Users\Admin\AppData\Roaming\Adobe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Roaming\Adobe.exe
    "C:\Users\Admin\AppData\Roaming\Adobe.exe"
    3⤵
    - Executes dropped EXE
    PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe.exe

Filesize
844KB

MD5
86492b13eeda3707e3601bfd4fe438bb

SHA1
2e326026a39a1001979ab41d3c6bf16f02e7577c

SHA256
4759fe07444c73946a9832ba27b1bc4437eb00517c440044c3c13b0b4903b04c

SHA512
6ec0464217a6bedb37cc155cf73ca4f2460abe1152f5e80fce70162ea21e9b51ce23b2ad654a3fd0f0b05c68a48531dbc31a0a007ad1f4f671e48618420d1dec

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe.exe

Filesize
844KB

MD5
86492b13eeda3707e3601bfd4fe438bb

SHA1
2e326026a39a1001979ab41d3c6bf16f02e7577c

SHA256
4759fe07444c73946a9832ba27b1bc4437eb00517c440044c3c13b0b4903b04c

SHA512
6ec0464217a6bedb37cc155cf73ca4f2460abe1152f5e80fce70162ea21e9b51ce23b2ad654a3fd0f0b05c68a48531dbc31a0a007ad1f4f671e48618420d1dec

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe.exe

Filesize
844KB

MD5
86492b13eeda3707e3601bfd4fe438bb

SHA1
2e326026a39a1001979ab41d3c6bf16f02e7577c

SHA256
4759fe07444c73946a9832ba27b1bc4437eb00517c440044c3c13b0b4903b04c

SHA512
6ec0464217a6bedb37cc155cf73ca4f2460abe1152f5e80fce70162ea21e9b51ce23b2ad654a3fd0f0b05c68a48531dbc31a0a007ad1f4f671e48618420d1dec

Download Submit
\Users\Admin\AppData\Roaming\Adobe.exe

Filesize
844KB

MD5
86492b13eeda3707e3601bfd4fe438bb

SHA1
2e326026a39a1001979ab41d3c6bf16f02e7577c

SHA256
4759fe07444c73946a9832ba27b1bc4437eb00517c440044c3c13b0b4903b04c

SHA512
6ec0464217a6bedb37cc155cf73ca4f2460abe1152f5e80fce70162ea21e9b51ce23b2ad654a3fd0f0b05c68a48531dbc31a0a007ad1f4f671e48618420d1dec

Download Submit
\Users\Admin\AppData\Roaming\Adobe.exe

Filesize
844KB

MD5
86492b13eeda3707e3601bfd4fe438bb

SHA1
2e326026a39a1001979ab41d3c6bf16f02e7577c

SHA256
4759fe07444c73946a9832ba27b1bc4437eb00517c440044c3c13b0b4903b04c

SHA512
6ec0464217a6bedb37cc155cf73ca4f2460abe1152f5e80fce70162ea21e9b51ce23b2ad654a3fd0f0b05c68a48531dbc31a0a007ad1f4f671e48618420d1dec

Download Submit
memory/624-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/624-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/624-77-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/900-65-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/900-66-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/900-67-0x000000000058C000-0x000000000058E000-memory.dmp

Filesize
8KB

Download
memory/900-68-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/900-74-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1368-58-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1368-56-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1368-57-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing