e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad

General

Target

e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
Size

2.5MB
MD5

1b8b276db0383d316589ccf81d39d0f7
SHA1

5c5b9969423bfd003ef81aec2a5bbbacdace2890
SHA256

e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad
SHA512

08eb57503cfc64f540dd82f0c53794660798449d8aff0b896ee80424d8a40130fa8a3c439b3e9197f9dfe1341ecff27014916142d54a82da514fc3c6c5b9ffef
SSDEEP

49152:wajg7DRg+d0TvVaLjwVW5GtJ/ws1OY1dBpna+pT5ZvFEbWVSwummsQ:wagm+dGat0t9Rj1Fas7ddwmY

Score

9^/10

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp	acprotect

Executes dropped EXE 1 IoCs

Processes:

INSA53B.tmp

pid process

724 INSA53B.tmp

pid	process
724	INSA53B.tmp

Loads dropped DLL 4 IoCs

Processes:

e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exeINSA53B.tmp

pid	process
544	e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
544	e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
724	INSA53B.tmp
724	INSA53B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe

pid process

544 e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe

description	pid	process	target process
PID 544 wrote to memory of 724	544	e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe	INSA53B.tmp
PID 544 wrote to memory of 724	544	e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe	INSA53B.tmp
PID 544 wrote to memory of 724	544	e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe	INSA53B.tmp

C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe
"C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\INSA53B.tmp
C:\Users\Admin\AppData\Local\Temp\INSA53B.tmp /SL C:\Users\Admin\AppData\Local\Temp\e76e7856a130e72a1150bb6526b09511cca7d1c0d98add474a965cd836c1d1ad.exe 2412316 68096
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INSA53B.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSA53B.tmp

Filesize
364KB

MD5
d8352d45f5f66014779e0b75689885d2

SHA1
bd7222c0d543c8972bdf6208eaf3a61304b70f4c

SHA256
544351f6d2db30695b69be12f96c44df605ddbf39778198b60af4a6ee4b45f64

SHA512
0277957666ddbcc93f537e61b70b27cec48e80f052e944783c0aaa3e88bb83a081d26d9131b53c200a5f5f22fbd8a8dc509a77c26a5b9815044fbfe632465574

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtiC6DF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/544-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/544-135-0x0000000000770000-0x00000000007E3000-memory.dmp

Filesize
460KB

Download
memory/544-143-0x0000000000770000-0x00000000007E3000-memory.dmp

Filesize
460KB

Download
memory/724-136-0x0000000000000000-mapping.dmp

Download
memory/724-142-0x0000000002210000-0x0000000002283000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads