d9ec38eb3969f4f066c8864631262547b90c1bb1653a2da964310b2ec0160c9c

General

Target

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
Size

1.7MB
MD5

2010f94a111ab8d9e0a25d7aefd2704e
SHA1

cc5fb0d3c2ac669a04ce073e2023200107a1846a
SHA256

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7
SHA512

daec0ed4e7ed5467c9b59db2976227f142a56f1e3eadd138baf6281d63ea565849da08c1ffcad056fc49909a42d16b79bbcf546ef37977f3e386566ca3dbcc71
SSDEEP

24576:GhGyCHW7fOpOQWzYSQ6iRUxgrGEMr3LvDUUk1+CtdEckOOZ2K7bGqvUCSVt:GhGVHWyOrVuUUMrbZk1yckOOZ2fyUtr

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

write.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnableSync.crw => \??\c:\Users\Admin\Pictures\EnableSync.crw.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\EnableSync.crw.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\SelectEdit.tif => \??\c:\Users\Admin\Pictures\SelectEdit.tif.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SelectEdit.tif.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\WatchPush.raw => \??\c:\Users\Admin\Pictures\WatchPush.raw.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\WatchPush.raw.rnsmcat4er	write.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	write.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	write.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	write.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

write.exe

description ioc process

File opened (read-only) \??\b: write.exe
File opened (read-only) \??\a: write.exe

description	ioc	process
File opened (read-only)	\??\b:	write.exe
File opened (read-only)	\??\a:	write.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exe

description	pid	process	target process
PID 752 set thread context of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 2908 set thread context of 6924	2908	write.exe	write.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

write.exe

pid process

6924 write.exe
6924 write.exe
6924 write.exe
6924 write.exe

pid	process
6924	write.exe
6924	write.exe
6924	write.exe
6924	write.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exe

description	pid	process	target process
PID 752 wrote to memory of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 752 wrote to memory of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 752 wrote to memory of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 752 wrote to memory of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 752 wrote to memory of 2908	752	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe
PID 2908 wrote to memory of 6924	2908	write.exe	write.exe

C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
"C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\write.exe
"C:\Windows\system32\write.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\write.exe
"C:\Windows\system32\write.exe"
3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:6924

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini
Filesize
1003B

MD5
99ba3bcd73e2263dc38e95d5f6882647

SHA1
a8b25b78ce27fcf8f3fe97aabf8049ee04e76ec1

SHA256
d5f4e79269936d4a8e548fd20b490bb1f993c11236a946831b0aede1b4960ac8

SHA512
33ae8c8b59e15316af8de7dde7e0e046e5e76c1e96b27ae48bd4bcc3572834323c872cbf03ce0e26c5d0f8567bcaa447fe9b48e523fe2948fd5c44d0dfa48e9b

Download Submit
memory/752-60-0x0000000000C00000-0x0000000000D1C000-memory.dmp

Filesize
1.1MB

Download
memory/752-55-0x0000000002480000-0x00000000027B9000-memory.dmp

Filesize
3.2MB

Download
memory/752-56-0x0000000000C00000-0x0000000000D1C000-memory.dmp

Filesize
1.1MB

Download
memory/752-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/2908-61-0x0000000000200000-0x000000000031C000-memory.dmp

Filesize
1.1MB

Download
memory/2908-58-0x0000000000215B00-mapping.dmp

Download
memory/2908-62-0x0000000000200000-0x000000000031C000-memory.dmp

Filesize
1.1MB

Download
memory/2908-65-0x0000000000200000-0x000000000031C000-memory.dmp

Filesize
1.1MB

Download
memory/2908-57-0x0000000000200000-0x000000000031C000-memory.dmp

Filesize
1.1MB

Download
memory/6924-64-0x00000000002A33C0-mapping.dmp

Download
memory/6924-63-0x0000000000290000-0x00000000003AC000-memory.dmp

Filesize
1.1MB

Download
memory/6924-67-0x0000000000100000-0x00000000001BB000-memory.dmp

Filesize
748KB

Download
memory/6924-69-0x0000000000100000-0x00000000001BB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads