37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6

General

Target

37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
Size

30KB
MD5

7ed898aa2a8b247f7c7a46d71b125ea8
SHA1

b4c2625707fa9088ba093be8ce433454171cbec6
SHA256

37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6
SHA512

8c7fc56be39bcbf9c4b8267ee184237a7ce753fc0f7b6525eb11cf6733ea9bcdf3c021a37ba648e4c50a1404a6ea8e7b69cf82ae9c78cce9b089303501968fd5
SSDEEP

384:8Ya0V/Sfz6O1gSrFhJmhAEEthzTm7Gk3p35G2A3ISV4GWWL7Uepc:8Y5Vu9x6hrCzTmj5G2/2WWLgee

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

xwjfk.exexwjfk.exe

pid process

1176 xwjfk.exe
1568 xwjfk.exe
Deletes itself 1 IoCs

Processes:

xwjfk.exe

pid process

1568 xwjfk.exe

pid	process
1176	xwjfk.exe
1568	xwjfk.exe

pid	process
1568	xwjfk.exe

Loads dropped DLL 3 IoCs

Processes:

37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exexwjfk.exe

pid	process
1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
1176	xwjfk.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exexwjfk.exe

description	pid	process	target process
PID 1672 set thread context of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1176 set thread context of 1568	1176	xwjfk.exe	xwjfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exexwjfk.exe

description	pid	process	target process
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1672 wrote to memory of 1000	1672	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
PID 1000 wrote to memory of 1176	1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	xwjfk.exe
PID 1000 wrote to memory of 1176	1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	xwjfk.exe
PID 1000 wrote to memory of 1176	1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	xwjfk.exe
PID 1000 wrote to memory of 1176	1000	37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe
PID 1176 wrote to memory of 1568	1176	xwjfk.exe	xwjfk.exe

C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
"C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe
"C:\Users\Admin\AppData\Local\Temp\37bbf261819afd6fabb75cb8815d4651e09329ab5cb8fe0b01d376096f195ab6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\xwjfk.exe
"C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\xwjfk.exe
"C:\Users\Admin\AppData\Local\Temp\xwjfk.exe"
4⤵
- Executes dropped EXE
- Deletes itself
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
\Users\Admin\AppData\Local\Temp\xwjfk.exe

Filesize
30KB

MD5
bc33e98b4a98334fc8d9620e513535b6

SHA1
26fa7ad57c3cdd688df5fa4ffea404e6b623ce6c

SHA256
66731adf5a629167c2fc7781c086f27bd4a25788e2cfcdb7c69e36868f2397ca

SHA512
ea7e47e7d99ad6434014e274d8907dce921b1bb58de95feb2f201a43b6e5c8f2d30b066fec7cfec187621aa47e62500a4fb34511b749f847ff6e8804795495e8

Download Submit
memory/1000-55-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1000-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1176-62-0x0000000000000000-mapping.dmp

Download
memory/1176-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1672-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads