ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32

General

Target

ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
Size

112KB
MD5

0a136a4eb6281d7acdf4a5720dbd5420
SHA1

32017fafde92b2d21572b54c1eff731dfae7b72b
SHA256

ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32
SHA512

dcbd2a13ef4ab106bc3d0af026d73d016b2488522202a5ca70f21245964735f07309120529029aaf0c4cf29ab72408cd56652ba223e747cf47caa130cac68d31
SSDEEP

1536:LPqKgbwDeVyAUHwGvVJrYJeyxWxVhkITI5ywWFfB8lBTxe5P1PS:9gbwDKyLwGvTrYkg6BJR6ns5PFS

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106
Destination IP	178.162.181.106

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 528 set thread context of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 1332 set thread context of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\7jOLGxL.exe	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
File opened for modification	C:\Windows\Fonts\7jOLGxL.exe	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
2420	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 528 wrote to memory of 1332	528	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	81
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85
PID 1332 wrote to memory of 2420	1332	ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe	85

C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
"C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
  "C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
    C:\Users\Admin\AppData\Local\Temp\ca271f5c4622b2c518d28e787436ffe2f5df27b8b1b23cb7ed8318ac08233f32.exe
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1332-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1332-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1332-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2420-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2420-143-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2420-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2420-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing