17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec

General

Target

17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe
Size

721KB
MD5

67f63ad6be699135e8c14e836874fca4
SHA1

2056d5b968e4cdfbbea684026540aa0a7b3ded71
SHA256

17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec
SHA512

ba8c26a41c7dc97cd6f810d697e48edc2f4727481e79c2f9b84098db6cbbc2cfb77625f10403cab25bd904612e690afc4eea7c3947721981e68faa4e912b89f6
SSDEEP

12288:CzZ7UjD5fFh/Rkn8qiZC8r6HzXStmy3Qpav3EVqxJaLFlBR5Wb7T4FDKA:CzZUFhHfZdr6TSme+avwRCYd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

908 Au_.exe
Deletes itself 1 IoCs

Processes:

Au_.exe

pid process

908 Au_.exe
Loads dropped DLL 2 IoCs

Processes:

17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exeAu_.exe

pid process

1800 17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe
908 Au_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
908	Au_.exe

pid	process
908	Au_.exe

pid	process
1800	17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe
908	Au_.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exeAu_.exe

description	pid	process	target process
PID 1800 wrote to memory of 908	1800	17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe	Au_.exe
PID 1800 wrote to memory of 908	1800	17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe	Au_.exe
PID 1800 wrote to memory of 908	1800	17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe	Au_.exe
PID 1800 wrote to memory of 908	1800	17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe	Au_.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 316	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe
PID 908 wrote to memory of 1568	908	Au_.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe
"C:\Users\Admin\AppData\Local\Temp\17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.CertEnrollment.XTBank.x64.dll" /s
    3⤵
    PID:316
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.CertEnrollment.XTBank.x86.dll" /s
    3⤵
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
721KB

MD5
67f63ad6be699135e8c14e836874fca4

SHA1
2056d5b968e4cdfbbea684026540aa0a7b3ded71

SHA256
17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec

SHA512
ba8c26a41c7dc97cd6f810d697e48edc2f4727481e79c2f9b84098db6cbbc2cfb77625f10403cab25bd904612e690afc4eea7c3947721981e68faa4e912b89f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
721KB

MD5
67f63ad6be699135e8c14e836874fca4

SHA1
2056d5b968e4cdfbbea684026540aa0a7b3ded71

SHA256
17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec

SHA512
ba8c26a41c7dc97cd6f810d697e48edc2f4727481e79c2f9b84098db6cbbc2cfb77625f10403cab25bd904612e690afc4eea7c3947721981e68faa4e912b89f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFE6D.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
721KB

MD5
67f63ad6be699135e8c14e836874fca4

SHA1
2056d5b968e4cdfbbea684026540aa0a7b3ded71

SHA256
17555d8164719bdb754a1e2da4a202bb64f9a9a4a10e3fcb8d2c1396e702d8ec

SHA512
ba8c26a41c7dc97cd6f810d697e48edc2f4727481e79c2f9b84098db6cbbc2cfb77625f10403cab25bd904612e690afc4eea7c3947721981e68faa4e912b89f6

Download Submit
memory/316-61-0x0000000000000000-mapping.dmp

Download
memory/316-62-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000000000-mapping.dmp

Download
memory/1568-63-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing