c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60

General

Target

c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
Size

527KB
MD5

37621fadb2c958758a2dfc9837c8c8a0
SHA1

d5f2ceaae36dd7d3cc6397e4a08ecf8649b4b2ad
SHA256

c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60
SHA512

e0d166faae0196973277a257f5847091a079cdfc65cf6efd5ce900c7ac0f5f22ad83884334f5d9e247199d8aafe0571b1db5167d67aeafebf87384b1ccbbda63
SSDEEP

12288:fpQN/7w3W2uyQOxwiAhZCgLPdlSS8FwlC5:fiNz+/93xMi4nSS8F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1188	Tmp_.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oiht400.dll	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
File created	C:\Windows\SysWOW64\Oiht400.dll	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
File opened for modification	C:\Windows\SysWOW64\Mkopg.exe	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
File created	C:\Windows\SysWOW64\Mkopg.exe	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	Tmp_.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	Tmp_.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	Tmp_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\winstart.bat	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
File opened for modification	C:\Windows\winstart.bat	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
File opened for modification	C:\Windows\winstart.bat	Tmp_.exe
File created	C:\Windows\winstart.bat	Tmp_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1188	1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe	28
PID 1292 wrote to memory of 1188	1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe	28
PID 1292 wrote to memory of 1188	1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe	28
PID 1292 wrote to memory of 1188	1292	c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe	28

C:\Users\Admin\AppData\Local\Temp\c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe
"C:\Users\Admin\AppData\Local\Temp\c8107f20c2fbbe69aad464ed2163560caafe87d0693821e02066e807ff8a2f60.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\TEMP\Tmp_.exe
  "C:\Windows\TEMP\Tmp_.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\Tmp_.exe

Filesize
528KB

MD5
956f0ea9908ea47205b098dca0f6b9f7

SHA1
15d12523b3339c9fbe7618f246fa067e8f59b3cc

SHA256
7b74019e246955d150aa1f1a6e169426343fa20b0eeb82919ae044a24fc36166

SHA512
ce81a67c51ceea8463d628a631070a0c31880e4692d4e3b3e023266148d5cafc8403118d370bc455254fe02eb75df554de461b779d522d9217fbac467c83ea7c

Download Submit
C:\Windows\Temp\Tmp_.exe

Filesize
528KB

MD5
956f0ea9908ea47205b098dca0f6b9f7

SHA1
15d12523b3339c9fbe7618f246fa067e8f59b3cc

SHA256
7b74019e246955d150aa1f1a6e169426343fa20b0eeb82919ae044a24fc36166

SHA512
ce81a67c51ceea8463d628a631070a0c31880e4692d4e3b3e023266148d5cafc8403118d370bc455254fe02eb75df554de461b779d522d9217fbac467c83ea7c

Download Submit
C:\Windows\winstart.bat

Filesize
424B

MD5
7395405494747c55e1e8e8b06e85d5c7

SHA1
2fb997a95ba8ef5b8e7121c5e703b3dd0678e40a

SHA256
40bc16d6ecf2ad1a8fc4da9367e8dd52592b476e4af5115507ca0257daa57778

SHA512
feeae481ae7dad981786e876cdd594bb20ae6dea3bfc6e48fc91c72ca915afff006b690d151ec9f9e5d2f4d648950c497a3cb48e7b66259783f32cba7a251bc7

Download Submit
\Windows\Temp\Tmp_.exe

Filesize
528KB

MD5
956f0ea9908ea47205b098dca0f6b9f7

SHA1
15d12523b3339c9fbe7618f246fa067e8f59b3cc

SHA256
7b74019e246955d150aa1f1a6e169426343fa20b0eeb82919ae044a24fc36166

SHA512
ce81a67c51ceea8463d628a631070a0c31880e4692d4e3b3e023266148d5cafc8403118d370bc455254fe02eb75df554de461b779d522d9217fbac467c83ea7c

Download Submit
\Windows\Temp\Tmp_.exe

Filesize
528KB

MD5
956f0ea9908ea47205b098dca0f6b9f7

SHA1
15d12523b3339c9fbe7618f246fa067e8f59b3cc

SHA256
7b74019e246955d150aa1f1a6e169426343fa20b0eeb82919ae044a24fc36166

SHA512
ce81a67c51ceea8463d628a631070a0c31880e4692d4e3b3e023266148d5cafc8403118d370bc455254fe02eb75df554de461b779d522d9217fbac467c83ea7c

Download Submit
memory/1292-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing