55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56

General

Target

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
Size

1.0MB
MD5

874b7631e1db0c41e25a1d972509c2a8
SHA1

1fae4e0ae24f927b64fa1c482b2fa79d33fa7a3c
SHA256

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56
SHA512

93abcdaf6c6bc3b3b3cc10d6b6196d4c4a1a08ad07685339fd9dc5eee49aa381715ee8e0f9c0fece5194165f151e0eae5e0db249607fdac4eb6694234471393d
SSDEEP

24576:E4lavt0LkLL9IMixoEgeadpF6Mm3Jd3eWq9MmCS:Tkwkn9IMHeadpFbm3JNPaPCS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

952 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1356 rundll32.exe
1356 rundll32.exe
1356 rundll32.exe
1356 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1584 PING.EXE

pid	process
952	cmd.exe

pid	process
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe

pid	process
1584	PING.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

pid	process
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

pid	process
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.execmd.exe

description	pid	process	target process
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 1356	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	rundll32.exe
PID 560 wrote to memory of 952	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 560 wrote to memory of 952	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 560 wrote to memory of 952	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 560 wrote to memory of 952	560	55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe	cmd.exe
PID 952 wrote to memory of 1584	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1584	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1584	952	cmd.exe	PING.EXE
PID 952 wrote to memory of 1584	952	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe
"C:\Users\Admin\AppData\Local\Temp\55c5e66a27ce9077b9665b1ca9f70102de2f0d165486eade861091e881db8a56.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\windows\temp\msvcp90u.dll,rdl
2⤵
- Loads dropped DLL
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Tempscratch.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
3⤵
- Runs ping.exe
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempscratch.bat

Filesize
322B

MD5
202c240b0525490d56aae8f010017557

SHA1
6cd4d9ac27ef7f157154d6a46aad3f241e8791db

SHA256
3e8db04270135e058ce34e38451c54bca274718559c70f9ee6ccbb97521d5160

SHA512
7fc4d021e7a973e16215b5a7283adcfee7fea0bd338bdfa04554a020bc776bcc6efaa7301dad89df442c10a2446bf3c46a9e81da4fd8972a12dd6b2e55a32ad0

Download Submit
\??\c:\windows\temp\msvcp90u.dll

Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
\Windows\Temp\msvcp90u.dll

Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
\Windows\Temp\msvcp90u.dll

Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
\Windows\Temp\msvcp90u.dll

Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
\Windows\Temp\msvcp90u.dll

Filesize
330KB

MD5
169197c84154d58f9eee82052e1b8ee8

SHA1
474a0171bbffefb9490e280e58747fa97895a17d

SHA256
f1ab0a0bf65a285c2409be4fa435b6e85267cc4d5ed2526703e58d753a5c1f19

SHA512
82f1cc75886b760ba88f6a92d65d6cd4f1cb6616b58ec4b2f70856f9958da865e1fbd7016df6bd24ec6607a56b0fd6231a3ef4120ead0930340b27b6ab45ca5d

Download Submit
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1356-55-0x0000000000000000-mapping.dmp

Download
memory/1584-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads