b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

General

Target

b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe
Size

337KB
MD5

18d962bd5395803bc4c64d8ea7bc0502
SHA1

e0a9b7fe52653d5d9ee0a7f853a702070f12975c
SHA256

b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c
SHA512

6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17
SSDEEP

6144:+gs6aZaeekKozTCUaNt17hMQeyQmZoKswSqsK4NXkv:+gs7Uee9ozOUABhMQelmZVsrqB42

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

fhzeevj.exe

pid process

868 fhzeevj.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1712 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exefhzeevj.exe

pid process

1712 cmd.exe
1712 cmd.exe
868 fhzeevj.exe

pid	process
1712	cmd.exe

pid	process
1712	cmd.exe
1712	cmd.exe
868	fhzeevj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

624 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

468 PING.EXE

pid	process
624	taskkill.exe

pid	process
468	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

fhzeevj.exe

pid	process
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe
868	fhzeevj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 624 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

fhzeevj.exe

pid process

868 fhzeevj.exe
868 fhzeevj.exe
868 fhzeevj.exe
868 fhzeevj.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

fhzeevj.exe

pid process

868 fhzeevj.exe
868 fhzeevj.exe
868 fhzeevj.exe
868 fhzeevj.exe

description	pid	process
Token: SeDebugPrivilege	624	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 1712	1752	b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe	cmd.exe
PID 1752 wrote to memory of 1712	1752	b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe	cmd.exe
PID 1752 wrote to memory of 1712	1752	b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe	cmd.exe
PID 1752 wrote to memory of 1712	1752	b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe	cmd.exe
PID 1712 wrote to memory of 624	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 624	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 624	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 624	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 868	1712	cmd.exe	fhzeevj.exe
PID 1712 wrote to memory of 868	1712	cmd.exe	fhzeevj.exe
PID 1712 wrote to memory of 868	1712	cmd.exe	fhzeevj.exe
PID 1712 wrote to memory of 868	1712	cmd.exe	fhzeevj.exe

C:\Users\Admin\AppData\Local\Temp\b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe
"C:\Users\Admin\AppData\Local\Temp\b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1752 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c.exe" & start C:\Users\Admin\AppData\Local\fhzeevj.exe -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1752
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:468

C:\Users\Admin\AppData\Local\fhzeevj.exe
C:\Users\Admin\AppData\Local\fhzeevj.exe -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fhzeevj.exe

Filesize
337KB

MD5
18d962bd5395803bc4c64d8ea7bc0502

SHA1
e0a9b7fe52653d5d9ee0a7f853a702070f12975c

SHA256
b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

SHA512
6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17

Download Submit
C:\Users\Admin\AppData\Local\fhzeevj.exe

Filesize
337KB

MD5
18d962bd5395803bc4c64d8ea7bc0502

SHA1
e0a9b7fe52653d5d9ee0a7f853a702070f12975c

SHA256
b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

SHA512
6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17

Download Submit
\Users\Admin\AppData\Local\fhzeevj.exe

Filesize
337KB

MD5
18d962bd5395803bc4c64d8ea7bc0502

SHA1
e0a9b7fe52653d5d9ee0a7f853a702070f12975c

SHA256
b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

SHA512
6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17

Download Submit
\Users\Admin\AppData\Local\fhzeevj.exe

Filesize
337KB

MD5
18d962bd5395803bc4c64d8ea7bc0502

SHA1
e0a9b7fe52653d5d9ee0a7f853a702070f12975c

SHA256
b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

SHA512
6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17

Download Submit
\Users\Admin\AppData\Local\fhzeevj.exe

Filesize
337KB

MD5
18d962bd5395803bc4c64d8ea7bc0502

SHA1
e0a9b7fe52653d5d9ee0a7f853a702070f12975c

SHA256
b66e3e78bd19610dd9472a7f1b710e2a294cf553aa63d35c0c057643a1f28e6c

SHA512
6f4508eeb3a2186e98a58334157aa88a370f84f811103686fb1d93ce62f6e4004e219c00ee9bc12069815e4882cedf580e5ea5e428593c37679f8cb791264d17

Download Submit
memory/468-59-0x0000000000000000-mapping.dmp

Download
memory/624-58-0x0000000000000000-mapping.dmp

Download
memory/868-63-0x0000000000000000-mapping.dmp

Download
memory/868-67-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/868-68-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download
memory/1752-57-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1752-54-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/1752-55-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads