e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a

General

Target

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
Size

408KB
MD5

2d237a52c2212f0a064bb273914f6e99
SHA1

c8381bce149b4876a570b9b4f3719632a2d0ba68
SHA256

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a
SHA512

ecf735e0f60cc0750faa370e0f9f9a2a1c1f78eb36516b8af0df1d4d9eb0d2f10d43b3370abf397c1728d5abcda2b6885b76bf9c4ecb33dbcfebd7292f29ab12
SSDEEP

6144:VMTCP9B0JhBtt4DAfhBZUI4v057UZvy25EDuE7UODTStFJAPqcs4hYIeqELUQM5:h9B0JhveE5PUI4v0yhtOvSKPqwrgUF

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe

pid process

1308 e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe

pid	process
1212	Explorer.EXE

pid	process
1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CC22D298-C740-E600-D000-B5F854B62D} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CC22D298-C740-E600-D000-B5F854B62D}\\qrwxdijopu.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exee8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe

description	pid	process	target process
PID 1308 set thread context of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1220 set thread context of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exesvchost.exe

pid	process
1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE

pid	process
1212	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
Token: SeSecurityPrivilege	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
Token: SeSecurityPrivilege	1408	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exee8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212

C:\Users\Admin\AppData\Local\Temp\e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
"C:\Users\Admin\AppData\Local\Temp\e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
"C:\Users\Admin\AppData\Local\Temp\e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoFDB.tmp\flit.dll

Filesize
17KB

MD5
d92b20de95ffa42df5001e31b4cf5923

SHA1
b49ab42ceb9c0006efbdcecc57a16fb74a64f7d9

SHA256
1d80b533493eb1f3bd781ca3fafa0c208f988b8bdd2489684eeb56d298d93f56

SHA512
775aadf9cc6eef1dafe5dd05195814709674e9dae1d553c223d80dbc93784140654a4ee2be6fe98705b55ebbd42dcac1d3cd55db7e77e8a3d66e7ca3bcf9d5d8

Download Submit
memory/1212-79-0x0000000002A50000-0x0000000002A5E000-memory.dmp

Filesize
56KB

Download
memory/1220-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-63-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-67-0x0000000000404760-mapping.dmp

Download
memory/1220-70-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1220-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1408-73-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1408-74-0x000000001000B176-mapping.dmp

Download
memory/1408-77-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1408-71-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1408-80-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1408-81-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

description	pid	process	target process
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1308 wrote to memory of 1220	1308	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe
PID 1220 wrote to memory of 1212	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	Explorer.EXE
PID 1220 wrote to memory of 1212	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	Explorer.EXE
PID 1220 wrote to memory of 1212	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	Explorer.EXE
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe
PID 1220 wrote to memory of 1408	1220	e8b4b52842cf67efa4c44baa532f4ca68c4ec59d3dfd73952a85beab247f952a.exe	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads