603e1f18fff33f5fcc99ebf195a5b0df5f7a3a6fc98a03e772a7da4993d737db

General

Target

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
Size

1.1MB
MD5

42d5422b60e6b5e20e7aaf730a81cc87
SHA1

e4c5691422f8bb438cae51bdb4340e75efed9f8d
SHA256

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033
SHA512

2eac1dbd2a97dcd4b16e526536ea235553b848dc677a17463ae4ef4381e733e773bd0ac74cf84b89dcd30b56a18e312254c9f2ede6f871b0d1552ea889657f25
SSDEEP

24576:S7+J7TGhOa+9EuP9HxoXZoVeCe6TXjJpsB8jIy:S7a7TwOaexTz7sU

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SwitchConvertTo.tiff	write.exe
File renamed	C:\Users\Admin\Pictures\SwitchConvertTo.tiff => \??\c:\Users\Admin\Pictures\SwitchConvertTo.tiff.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SwitchConvertTo.tiff.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\CopyPush.tif => \??\c:\Users\Admin\Pictures\CopyPush.tif.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\ReadSave.crw => \??\c:\Users\Admin\Pictures\ReadSave.crw.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UndoSelect.tiff	write.exe
File renamed	C:\Users\Admin\Pictures\DenySet.tif => \??\c:\Users\Admin\Pictures\DenySet.tif.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\DenySet.tif.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ReadSave.crw.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\ResumeRead.tiff => \??\c:\Users\Admin\Pictures\ResumeRead.tiff.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\UndoSelect.tiff.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\CopyPush.tif.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ResumeRead.tiff	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ResumeRead.tiff.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\UndoSelect.tiff => \??\c:\Users\Admin\Pictures\UndoSelect.tiff.rnsmcat4er	write.exe

Drops desktop.ini file(s) 29 IoCs

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	write.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	write.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

write.exe

description	ioc	process
File opened (read-only)	\??\s:	write.exe
File opened (read-only)	\??\x:	write.exe
File opened (read-only)	\??\e:	write.exe
File opened (read-only)	\??\h:	write.exe
File opened (read-only)	\??\l:	write.exe
File opened (read-only)	\??\m:	write.exe
File opened (read-only)	\??\o:	write.exe
File opened (read-only)	\??\v:	write.exe
File opened (read-only)	\??\g:	write.exe
File opened (read-only)	\??\k:	write.exe
File opened (read-only)	\??\n:	write.exe
File opened (read-only)	\??\p:	write.exe
File opened (read-only)	\??\t:	write.exe
File opened (read-only)	\??\y:	write.exe
File opened (read-only)	\??\a:	write.exe
File opened (read-only)	\??\b:	write.exe
File opened (read-only)	\??\f:	write.exe
File opened (read-only)	\??\j:	write.exe
File opened (read-only)	\??\w:	write.exe
File opened (read-only)	\??\i:	write.exe
File opened (read-only)	\??\q:	write.exe
File opened (read-only)	\??\r:	write.exe
File opened (read-only)	\??\u:	write.exe
File opened (read-only)	\??\z:	write.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exewrite.exe

description	pid	process	target process
PID 1380 set thread context of 4556	1380	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 4556 set thread context of 7240	4556	write.exe	write.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

write.exe

pid process

7240 write.exe
7240 write.exe
7240 write.exe
7240 write.exe

pid	process
7240	write.exe
7240	write.exe
7240	write.exe
7240	write.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exewrite.exe

description	pid	process	target process
PID 1380 wrote to memory of 4556	1380	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 1380 wrote to memory of 4556	1380	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 1380 wrote to memory of 4556	1380	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 1380 wrote to memory of 4556	1380	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 4556 wrote to memory of 7240	4556	write.exe	write.exe
PID 4556 wrote to memory of 7240	4556	write.exe	write.exe
PID 4556 wrote to memory of 7240	4556	write.exe	write.exe
PID 4556 wrote to memory of 7240	4556	write.exe	write.exe
PID 4556 wrote to memory of 7240	4556	write.exe	write.exe

C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
"C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\write.exe
C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\write.exe
"C:\Windows\system32\write.exe"
3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:7240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini

Filesize
972B

MD5
cfa813e12a73a8dbebeac789d70421f6

SHA1
6ae083e7b6315f1354f8fe0d875ab532dd19d5e2

SHA256
6c3ff7ae70922556700004153c8f987fe45b347bca824ab6f50a29b514243bd1

SHA512
c3ac0f019787cbb4a7f081ca6fe7263d14d1da2ee1ea87343e9f8a90a02196902863e8d3b72ae8d25ed75edf6ef3f92168179ccdae2fabdcd63e655d4ec3c2dd

Download Submit
memory/1380-132-0x0000000000BD0000-0x0000000000CEC000-memory.dmp

Filesize
1.1MB

Download
memory/1380-135-0x0000000000BD0000-0x0000000000CEC000-memory.dmp

Filesize
1.1MB

Download
memory/4556-134-0x0000000000815B00-mapping.dmp

Download
memory/4556-133-0x0000000000800000-0x000000000091C000-memory.dmp

Filesize
1.1MB

Download
memory/4556-136-0x0000000000800000-0x000000000091C000-memory.dmp

Filesize
1.1MB

Download
memory/4556-139-0x0000000000800000-0x000000000091C000-memory.dmp

Filesize
1.1MB

Download
memory/7240-138-0x0000000000C133C0-mapping.dmp

Download
memory/7240-137-0x0000000000C00000-0x0000000000D1C000-memory.dmp

Filesize
1.1MB

Download
memory/7240-140-0x0000000000910000-0x00000000009CB000-memory.dmp

Filesize
748KB

Download
memory/7240-142-0x0000000000910000-0x00000000009CB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads