17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86

General

Target

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe
Size

120KB
MD5

00d72d8f972ed384ed5b018fe1b68e66
SHA1

2db63c0c678f39018f18c520f50d6b3b0021b682
SHA256

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86
SHA512

1407c866c9d6273253580437acd05f64002d6e8cbe97d071874711d64eede13dc0a64cd1c6ab2abe2c73dfdcad6930ac8f30ec1fefd2815782158300a8630bad
SSDEEP

3072:dMeZVVcB8v3tajzekZQSLzS9QQUbM81CYTXim6:mehvQX/ZfLxQUbMi

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

524 DllHost.exe

pid	process
524	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.execmd.exe

description	pid	process	target process
PID 108 wrote to memory of 1488	108	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 108 wrote to memory of 1488	108	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 108 wrote to memory of 1488	108	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 108 wrote to memory of 1488	108	17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe	cmd.exe
PID 1488 wrote to memory of 1464	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1464	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1464	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1464	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1076	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1076	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1076	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1076	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1124	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1124	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1124	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1124	1488	cmd.exe	find.exe
PID 1488 wrote to memory of 1340	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1340	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1340	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1340	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 836	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe
"C:\Users\Admin\AppData\Local\Temp\17c572eef3a4c27a2a28641206ef00066fc3bda80fd01ddb742d4f24675ccc86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BFC3826.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type BFC3826.bat"
3⤵
PID:1464

C:\Windows\SysWOW64\find.exe
find "e "
3⤵
PID:1076

C:\Windows\SysWOW64\find.exe
find /v "REM"
3⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /C debug<shell.x
3⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /C del shell.x
3⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /C del shell.x
3⤵
PID:1736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\744590045.jpg

Filesize
6KB

MD5
633f7cd0652d2010583dbddf76e72e88

SHA1
b7cc5c6ddb6881adb926e5764e84401f1e6002a3

SHA256
07286ced517aa924a8528fea22d7bea3f8c50735cdd09f2b8a9be77d9604a80f

SHA512
ad79c3687e928d8ab64fb46bc28e4800454a71cbac68f8598a5ea2d5532c2a7c9a1d1a9f4d069bfc6cf75e51b2bffbe7196b2051ba16ae10bd9eabf45a7e8894

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFC3826.bat

Filesize
101KB

MD5
b4d3bbc40fd2affb7fbdb57901ea7479

SHA1
c39d0f8d9de9852cba3f7a3170e57a18e88a347f

SHA256
c13e106c39236c8631776064f7894adc4337730541dd8262004fc338b5e18c7f

SHA512
4c6d4c1cb700ee882d1e7ab19baa9242814de85025d73f682a4e9f1c9052478f66ae9941e1859b87f0cdfc275b95d385215a9e6439c70c35ac968e69b94b0f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell.x

Filesize
100KB

MD5
54d707490c161ea00b472c65b1465583

SHA1
f38295d6c533bbd6c3d962c3846371dc1bd0de22

SHA256
bc53bc2b5ef762727204750161aa6e78e03d9e5afa33b5ff9914cc0679a5b59c

SHA512
011a1400f5ae928ddfbfbab63f183fb87484c5ec367a075fe0c39a1d7c38519bdd10866dcfdfe3fa73ec8fcf9a4dcc42dde2f7dcf76222cb4ece7e2225f7d5e0

Download Submit
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/836-62-0x0000000000000000-mapping.dmp

Download
memory/1076-58-0x0000000000000000-mapping.dmp

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1340-60-0x0000000000000000-mapping.dmp

Download
memory/1464-57-0x0000000000000000-mapping.dmp

Download
memory/1488-55-0x0000000000000000-mapping.dmp

Download
memory/1736-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing