d9ec38eb3969f4f066c8864631262547b90c1bb1653a2da964310b2ec0160c9c

General

Target

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
Size

1.7MB
MD5

2010f94a111ab8d9e0a25d7aefd2704e
SHA1

cc5fb0d3c2ac669a04ce073e2023200107a1846a
SHA256

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7
SHA512

daec0ed4e7ed5467c9b59db2976227f142a56f1e3eadd138baf6281d63ea565849da08c1ffcad056fc49909a42d16b79bbcf546ef37977f3e386566ca3dbcc71
SSDEEP

24576:GhGyCHW7fOpOQWzYSQ6iRUxgrGEMr3LvDUUk1+CtdEckOOZ2K7bGqvUCSVt:GhGVHWyOrVuUUMrbZk1yckOOZ2fyUtr

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SendExport.raw.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\DismountEnter.crw => \??\c:\Users\Admin\Pictures\DismountEnter.crw.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\DismountEnter.crw.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\SendExport.raw => \??\c:\Users\Admin\Pictures\SendExport.raw.rnsmcat4er	write.exe

Drops desktop.ini file(s) 29 IoCs

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	write.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

write.exe

description	ioc	process
File opened (read-only)	\??\p:	write.exe
File opened (read-only)	\??\a:	write.exe
File opened (read-only)	\??\e:	write.exe
File opened (read-only)	\??\i:	write.exe
File opened (read-only)	\??\k:	write.exe
File opened (read-only)	\??\o:	write.exe
File opened (read-only)	\??\w:	write.exe
File opened (read-only)	\??\y:	write.exe
File opened (read-only)	\??\b:	write.exe
File opened (read-only)	\??\h:	write.exe
File opened (read-only)	\??\q:	write.exe
File opened (read-only)	\??\s:	write.exe
File opened (read-only)	\??\t:	write.exe
File opened (read-only)	\??\u:	write.exe
File opened (read-only)	\??\r:	write.exe
File opened (read-only)	\??\v:	write.exe
File opened (read-only)	\??\f:	write.exe
File opened (read-only)	\??\g:	write.exe
File opened (read-only)	\??\j:	write.exe
File opened (read-only)	\??\l:	write.exe
File opened (read-only)	\??\m:	write.exe
File opened (read-only)	\??\n:	write.exe
File opened (read-only)	\??\x:	write.exe
File opened (read-only)	\??\z:	write.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exe

description	pid	process	target process
PID 5104 set thread context of 3100	5104	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 3100 set thread context of 8660	3100	write.exe	write.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

write.exe

pid process

8660 write.exe
8660 write.exe
8660 write.exe
8660 write.exe

pid	process
8660	write.exe
8660	write.exe
8660	write.exe
8660	write.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exewrite.exe

description	pid	process	target process
PID 5104 wrote to memory of 3100	5104	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 5104 wrote to memory of 3100	5104	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 5104 wrote to memory of 3100	5104	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 5104 wrote to memory of 3100	5104	b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe	write.exe
PID 3100 wrote to memory of 8660	3100	write.exe	write.exe
PID 3100 wrote to memory of 8660	3100	write.exe	write.exe
PID 3100 wrote to memory of 8660	3100	write.exe	write.exe
PID 3100 wrote to memory of 8660	3100	write.exe	write.exe
PID 3100 wrote to memory of 8660	3100	write.exe	write.exe

C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
"C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\write.exe
C:\Users\Admin\AppData\Local\Temp\b0d998157a5602c0f97d328b38e82177ceeb380862ac46258c5cb5727bfa7cf7.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\write.exe
"C:\Windows\system32\write.exe"
3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:8660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\desktop.ini
Filesize
876B

MD5
ccf0567081f812a4dc46a0c66271bc61

SHA1
a564f839023b5aff353107a9eeaf7b74e693d8f7

SHA256
f7497d8a7e36b45c8cce8235388c93e62fe4de4bc3b263014a4ceada6a63fd1c

SHA512
323c651cb5b87afbaea9058da057aeaac8bfd577e0b685a7e99f0296f78aeb6e595a5bef0ff86c98851abd9b70ad3629a6e7a9f45672b88564ae21421c64390e

Download Submit
memory/3100-135-0x0000000000A25B00-mapping.dmp

Download
memory/3100-134-0x0000000000A10000-0x0000000000B2C000-memory.dmp

Filesize
1.1MB

Download
memory/3100-136-0x0000000000A10000-0x0000000000B2C000-memory.dmp

Filesize
1.1MB

Download
memory/3100-140-0x0000000000A10000-0x0000000000B2C000-memory.dmp

Filesize
1.1MB

Download
memory/5104-132-0x0000000002B20000-0x0000000002E59000-memory.dmp

Filesize
3.2MB

Download
memory/5104-133-0x0000000002F80000-0x000000000309C000-memory.dmp

Filesize
1.1MB

Download
memory/5104-137-0x0000000002F80000-0x000000000309C000-memory.dmp

Filesize
1.1MB

Download
memory/8660-138-0x0000000000FB0000-0x00000000010CC000-memory.dmp

Filesize
1.1MB

Download
memory/8660-139-0x0000000000FC33C0-mapping.dmp

Download
memory/8660-141-0x0000000000EF0000-0x0000000000FAB000-memory.dmp

Filesize
748KB

Download
memory/8660-143-0x0000000000EF0000-0x0000000000FAB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads