3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f

General

Target

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
Size

224KB
MD5

15f5f3242e21413b330fefe9f6af247a
SHA1

b28e3732622559afe23d13a14a86a17d3e855e49
SHA256

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f
SHA512

54b75b4615531beb163d62e9ee14c902a37d96b21255f6f423f9020c3879e8fc81164910c0ebfd4e2608a2a22d1bae885f2737f548188e16260277e00ca3559c
SSDEEP

3072:kXyqNsMoBuBiZ8ZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUba9:7qN5Iep4LnbmlrZW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exemepam.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mepam.exe

Executes dropped EXE 1 IoCs

Processes:

mepam.exe

pid process

1488 mepam.exe

pid	process
1488	mepam.exe

Loads dropped DLL 2 IoCs

Processes:

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe

pid	process
632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mepam.exe3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /a"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /s"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /r"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /b"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /d"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /l"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /p"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /g"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /e"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /h"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /w"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /q"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /c"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /h"	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /v"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /y"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /x"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /o"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /u"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /m"	mepam.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /j"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /z"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /n"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /i"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /t"	mepam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\mepam = "C:\\Users\\Admin\\mepam.exe /k"	mepam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exemepam.exe

pid	process
632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe
1488	mepam.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exemepam.exe

pid process

632 3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
1488 mepam.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe

description	pid	process	target process
PID 632 wrote to memory of 1488	632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe	mepam.exe
PID 632 wrote to memory of 1488	632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe	mepam.exe
PID 632 wrote to memory of 1488	632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe	mepam.exe
PID 632 wrote to memory of 1488	632	3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe	mepam.exe

C:\Users\Admin\AppData\Local\Temp\3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe
"C:\Users\Admin\AppData\Local\Temp\3d39e48c0c93c6e8be50793088b64dda9795a9f431c0e674e3c8c95c386a304f.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\mepam.exe
"C:\Users\Admin\mepam.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mepam.exe

Filesize
224KB

MD5
63cda7436b52a3628d97eb8eea9f0a4e

SHA1
d401e67cbbb794f9faac4df69520675cfa71ec63

SHA256
afad8a45ac9ae9227d707a72a225d4ce260075258d82f76c08cbcaba1b0a5a7b

SHA512
0e83f0390656b4a11d67a93fcc2df036ac69c8a63ac9f810bbb6d0247b0ef42f79708dc38b3f9dc90f52ed19f7eb98fa34138cec3165d4047c158bd980ce6494

Download Submit
C:\Users\Admin\mepam.exe

Filesize
224KB

MD5
63cda7436b52a3628d97eb8eea9f0a4e

SHA1
d401e67cbbb794f9faac4df69520675cfa71ec63

SHA256
afad8a45ac9ae9227d707a72a225d4ce260075258d82f76c08cbcaba1b0a5a7b

SHA512
0e83f0390656b4a11d67a93fcc2df036ac69c8a63ac9f810bbb6d0247b0ef42f79708dc38b3f9dc90f52ed19f7eb98fa34138cec3165d4047c158bd980ce6494

Download Submit
\Users\Admin\mepam.exe

Filesize
224KB

MD5
63cda7436b52a3628d97eb8eea9f0a4e

SHA1
d401e67cbbb794f9faac4df69520675cfa71ec63

SHA256
afad8a45ac9ae9227d707a72a225d4ce260075258d82f76c08cbcaba1b0a5a7b

SHA512
0e83f0390656b4a11d67a93fcc2df036ac69c8a63ac9f810bbb6d0247b0ef42f79708dc38b3f9dc90f52ed19f7eb98fa34138cec3165d4047c158bd980ce6494

Download Submit
\Users\Admin\mepam.exe

Filesize
224KB

MD5
63cda7436b52a3628d97eb8eea9f0a4e

SHA1
d401e67cbbb794f9faac4df69520675cfa71ec63

SHA256
afad8a45ac9ae9227d707a72a225d4ce260075258d82f76c08cbcaba1b0a5a7b

SHA512
0e83f0390656b4a11d67a93fcc2df036ac69c8a63ac9f810bbb6d0247b0ef42f79708dc38b3f9dc90f52ed19f7eb98fa34138cec3165d4047c158bd980ce6494

Download Submit
memory/632-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1488-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads