7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2

General

Target

7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
Size

1.7MB
MD5

a66282481f48517e949391e3934893c4
SHA1

2175ad550cfe6cb1c5623879a33570a6650468d3
SHA256

7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2
SHA512

f25510e2c8685a068b3a6a37921c50c293d1e0282610db0c9cdaf5764a99e65a15be5def754417384f0cfb15852236d31c56fa01a0ad3689de79292b9aafd303
SSDEEP

24576:K2NJ7Ivu9SQHEer6bXqs7W6ev2BBoS1A8LgbOjmsa:5qf7382BKS1sO6sa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Espadres	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

description	ioc	process
File opened (read-only)	\??\W:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\X:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\A:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\N:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\R:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\H:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\K:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\M:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\P:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\U:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\B:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\E:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\F:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\Q:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\S:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\T:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\V:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\Z:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\G:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\I:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\O:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\J:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\L:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
File opened (read-only)	\??\Y:	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

pid	process
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
2696	7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe

C:\Users\Admin\AppData\Local\Temp\7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe
"C:\Users\Admin\AppData\Local\Temp\7df1a698dfa5e630b33fe366baa48ceef77bc3026d0b9b0e178f9fd6de2637a2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2696