a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3

General

Target

a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe
Size

644KB
MD5

43a74b2339f24d3ab63a48c6dfb9edd1
SHA1

661a4e4a1f17fce80be658e27030c0d00949d2c5
SHA256

a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3
SHA512

211deda0edf6a981dc475406ce2ffeb53f40800834c3faed359715e07f9eb405a5d6f1684ea73274f52af25e2a5c45ad1747e8caed8d38e350e1982e49ed971c
SSDEEP

12288:7c//////WwT6zphI6FQUuU6W/unAi+KkZdbxMMeVMgrQzM+i3byjaO1:7c//////TT6Fh1+U0nudbxpeVMGxul1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ÂÌÉ«.exesvchos.exe

pid process

844 ÂÌÉ«.exe
900 svchos.exe
Loads dropped DLL 1 IoCs

Processes:

ÂÌÉ«.exe

pid process

844 ÂÌÉ«.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

ÂÌÉ«.exesvchos.exe

pid process

844 ÂÌÉ«.exe
844 ÂÌÉ«.exe
844 ÂÌÉ«.exe
844 ÂÌÉ«.exe
844 ÂÌÉ«.exe
900 svchos.exe
900 svchos.exe

pid	process
844	ÂÌÉ«.exe
900	svchos.exe

pid	process
844	ÂÌÉ«.exe

pid	process
844	ÂÌÉ«.exe
844	ÂÌÉ«.exe
844	ÂÌÉ«.exe
844	ÂÌÉ«.exe
844	ÂÌÉ«.exe
900	svchos.exe
900	svchos.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.execmd.execmd.exe

description	pid	process	target process
PID 984 wrote to memory of 4444	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 984 wrote to memory of 4444	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 984 wrote to memory of 4444	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 984 wrote to memory of 2192	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 984 wrote to memory of 2192	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 984 wrote to memory of 2192	984	a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe	cmd.exe
PID 2192 wrote to memory of 844	2192	cmd.exe	ÂÌÉ«.exe
PID 2192 wrote to memory of 844	2192	cmd.exe	ÂÌÉ«.exe
PID 2192 wrote to memory of 844	2192	cmd.exe	ÂÌÉ«.exe
PID 4444 wrote to memory of 900	4444	cmd.exe	svchos.exe
PID 4444 wrote to memory of 900	4444	cmd.exe	svchos.exe
PID 4444 wrote to memory of 900	4444	cmd.exe	svchos.exe

C:\Users\Admin\AppData\Local\Temp\a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe
"C:\Users\Admin\AppData\Local\Temp\a390ee271b70b2994551f070aa40ffc6a0463fb52c3111b5170a6ab50dbca3f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\svchos.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ÂÌÉ«.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\ÂÌÉ«.exe
C:\Users\Admin\AppData\Local\Temp\ÂÌÉ«.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
dde0681ba7a02bbb1c9b756af7e53fd2

SHA1
eb1310a5848614d89e71e76bf6beee497a068017

SHA256
f1efcaa3a7b5bf98819ec0076984f4af595d595c2553f4eec454e6d96f2bf080

SHA512
1f9892ea5727159e7f0ec836dac78bd6923f7b803e5f39113a14c27b4bea5353503a7b998088cdf8ad0f0920e66a241c588bec0b2cab6b02157b54ab4ce30ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
52KB

MD5
c53707cf8e3d2e42776df41a5fac3bf8

SHA1
6a29759f93c32f8138c8a0989094f7cfc1df7b11

SHA256
d3f639f39d612adefb2dcef15f8821de97b5556064cec77a3e6d7f3abeee7c4a

SHA512
dc053aba8ce185d6315887ec8adf6eeb505e6e847cd94bf4b73d486cf924760830e8d48b9a4e520a75def24a0343a6ed6c4980e7497223d20875b11f2afa7520

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
52KB

MD5
c53707cf8e3d2e42776df41a5fac3bf8

SHA1
6a29759f93c32f8138c8a0989094f7cfc1df7b11

SHA256
d3f639f39d612adefb2dcef15f8821de97b5556064cec77a3e6d7f3abeee7c4a

SHA512
dc053aba8ce185d6315887ec8adf6eeb505e6e847cd94bf4b73d486cf924760830e8d48b9a4e520a75def24a0343a6ed6c4980e7497223d20875b11f2afa7520

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÌÉ«.exe

Filesize
547KB

MD5
156fd0bfa8e34c9631a8a9d7c8a366d6

SHA1
e75e6027f10f092bde3ebbc6d99cc734cfdcdf86

SHA256
839e2eff174c25d897c9611ea04990f3e083a02f26b65bc1548dcd0926f5c9b6

SHA512
6af4a66da22c09806f42594f8d89ec2397d0d5ab94b8cfd67b6dc9769ba7332e3505f2e7b896a85ead50b6876292363dc06790d1e6cccf38ac995b3e3fd775da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÂÌÉ«.exe

Filesize
547KB

MD5
156fd0bfa8e34c9631a8a9d7c8a366d6

SHA1
e75e6027f10f092bde3ebbc6d99cc734cfdcdf86

SHA256
839e2eff174c25d897c9611ea04990f3e083a02f26b65bc1548dcd0926f5c9b6

SHA512
6af4a66da22c09806f42594f8d89ec2397d0d5ab94b8cfd67b6dc9769ba7332e3505f2e7b896a85ead50b6876292363dc06790d1e6cccf38ac995b3e3fd775da

Download Submit
memory/844-134-0x0000000000000000-mapping.dmp

Download
memory/844-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/844-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/900-138-0x0000000000000000-mapping.dmp

Download
memory/2192-133-0x0000000000000000-mapping.dmp

Download
memory/4444-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing