0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b

General

Target

0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
Size

220KB
MD5

0cc1d836f38b42e83be488697fd19760
SHA1

013a59d1d5737a511dcad7b05567d250ee237aa9
SHA256

0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b
SHA512

9ce0ce071b9fe646559648feeeb4b3d14966693c12c1baa7fea6e675ef10d69774f629a21289a46ff971c9ba0da3ac076cd86bd2cb806383df3acce0836f2f02
SSDEEP

6144:9qyXyYLoshMzEX+70iWIckQkiWp+Nm9E7K:IoLhMzT0iWI61WINm9aK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1300	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
1776	svchost.exe
2036	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 864 wrote to memory of 1960	864	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	28
PID 1960 wrote to memory of 1776	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	29
PID 1960 wrote to memory of 1776	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	29
PID 1960 wrote to memory of 1776	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	29
PID 1960 wrote to memory of 1776	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	29
PID 1960 wrote to memory of 1300	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	31
PID 1960 wrote to memory of 1300	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	31
PID 1960 wrote to memory of 1300	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	31
PID 1960 wrote to memory of 1300	1960	0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe	31
PID 1300 wrote to memory of 1320	1300	cmd.exe	33
PID 1300 wrote to memory of 1320	1300	cmd.exe	33
PID 1300 wrote to memory of 1320	1300	cmd.exe	33
PID 1300 wrote to memory of 1320	1300	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
"C:\Users\Admin\AppData\Local\Temp\0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
  "C:\Users\Admin\AppData\Local\Temp\0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TgdSlF5F80HO3.bat" 0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h 0050dfcf74e5a87b8593430c8803c618b799894379f941a619c1db907ba7194b.exe
      4⤵
      Views/modifies file attributes
      PID:1320

C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TgdSlF5F80HO3.bat

Filesize
74B

MD5
f488b5df4ab36b2fa1c78c041f5a433c

SHA1
fe8b77ce17a48de7d7e6f7bfe7b8411701ebb12f

SHA256
ce0e7dceca9e877c8ad232acef340c246f6f553e841dbcff18a9b458cd0fae1c

SHA512
3df780bf8f3c2b547606f2dfc5552ab5140fdb089681f5945d2aec23d3eeb13d1546ea100881d6c830110c79c60f113788b1fbc7fd674a3578f9e2f76ea54ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsljbx.rzd

Filesize
862B

MD5
81c264145b21319c128f5fb128ee6eae

SHA1
630e0635f2a8f046a7093dd650c8e93a99890a1d

SHA256
72e927c7e8f33bb67933c911227727625e13dcccb956fa9ea0bd75ed44bc7a71

SHA512
34f90bf75921b604a887d87781d06e46af1001d9e7a243f37bceb85882f9e543c7faabf49d6c7ec41524faae9efaa5eba25b8c82ae29d7edbed567b62f44b709

Download Submit
memory/1776-65-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/1776-66-0x00000000000C0000-0x00000000000E4000-memory.dmp

Filesize
144KB

Download
memory/1960-61-0x0000000000401000-0x0000000000425000-memory.dmp

Filesize
144KB

Download
memory/1960-64-0x0000000000260000-0x000000000026F000-memory.dmp

Filesize
60KB

Download
memory/1960-62-0x0000000000400000-0x0000000000424400-memory.dmp

Filesize
145KB

Download
memory/1960-67-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1960-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1960-70-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1960-72-0x0000000000400000-0x0000000000424400-memory.dmp

Filesize
145KB

Download
memory/1960-59-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1960-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2036-69-0x00000000000B5000-0x00000000000D9000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads