71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86

General

Target

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
Size

1.4MB
MD5

04e3a8a7e51e095e4f6e5f00f639a447
SHA1

1f18941c35ed9092cadd85e38c85f46c3cb8e6a1
SHA256

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86
SHA512

c6d1057b6a1309e7e6ec09440176b4acd2d7ccaeef9e2858c636df6c3156896d3894cae820a1121b7b93c464a46417d857b7f579e21ab23e7f6165e906425190
SSDEEP

24576:nbNI1Hk32WDhOd0+cXoNxz0gZ402j3BsN9L2ORE1kiStxAqxI9w+H1:mlk32WDu0+3NygF2j3BvOeGiSk3NH1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

is-BBEB4.tmp

pid process

692 is-BBEB4.tmp
Loads dropped DLL 4 IoCs

Processes:

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exeis-BBEB4.tmp

pid process

1108 71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
692 is-BBEB4.tmp
692 is-BBEB4.tmp
692 is-BBEB4.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

is-BBEB4.tmp

pid process

692 is-BBEB4.tmp

pid	process
692	is-BBEB4.tmp

pid	process
1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
692	is-BBEB4.tmp
692	is-BBEB4.tmp
692	is-BBEB4.tmp

pid	process
692	is-BBEB4.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe

description	pid	process	target process
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp
PID 1108 wrote to memory of 692	1108	71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe	is-BBEB4.tmp

C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe
"C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp" /SL4 $80022 C:\Users\Admin\AppData\Local\Temp\71a129a28bd426cdd8d51a4adca32ae643ed3d135e442fd2218b934f38560d86.exe 1263274 50688
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp
Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp
Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
\Users\Admin\AppData\Local\Temp\is-J5GGG.tmp\is-BBEB4.tmp
Filesize
572KB

MD5
0d0622f7d2fd629455a028d7e1cb1c07

SHA1
82bdfc15f188241c535d7a42f0f95c99d0913bf4

SHA256
ab0982c120a65adc3aa898af09ad923c9b896edfc52f7d206798c5fdf59d8f5a

SHA512
eb5a930c1ba85b9cdb60a65fcead39592f7a1b87985d927580bbdb9f8682087291a4eac9f5b2f7c8d4aa7abff78ce8c53dd7285bd7be8572cb65ade906e8807a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_isdecmp.dll
Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RMQ2Q.tmp\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/692-59-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1108-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1108-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing