54b77115603f9cb8dd03f3850bdb425d6ad4b121f83f531f0dbeee5a4622aa9f

General

Target

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
Size

1.1MB
MD5

42d5422b60e6b5e20e7aaf730a81cc87
SHA1

e4c5691422f8bb438cae51bdb4340e75efed9f8d
SHA256

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033
SHA512

2eac1dbd2a97dcd4b16e526536ea235553b848dc677a17463ae4ef4381e733e773bd0ac74cf84b89dcd30b56a18e312254c9f2ede6f871b0d1552ea889657f25
SSDEEP

24576:S7+J7TGhOa+9EuP9HxoXZoVeCe6TXjJpsB8jIy:S7a7TwOaexTz7sU

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

write.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\AddSuspend.tif => \??\c:\Users\Admin\Pictures\AddSuspend.tif.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\AddSuspend.tif.rnsmcat4er	write.exe
File renamed	C:\Users\Admin\Pictures\ConfirmResolve.crw => \??\c:\Users\Admin\Pictures\ConfirmResolve.crw.rnsmcat4er	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ConfirmResolve.crw.rnsmcat4er	write.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

write.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	write.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	write.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	write.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	write.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

write.exe

description ioc process

File opened (read-only) \??\a: write.exe
File opened (read-only) \??\b: write.exe

description	ioc	process
File opened (read-only)	\??\a:	write.exe
File opened (read-only)	\??\b:	write.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exewrite.exe

description	pid	process	target process
PID 3796 set thread context of 1752	3796	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 1752 set thread context of 7484	1752	write.exe	write.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

write.exe

pid process

7484 write.exe
7484 write.exe
7484 write.exe
7484 write.exe

pid	process
7484	write.exe
7484	write.exe
7484	write.exe
7484	write.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exewrite.exe

description	pid	process	target process
PID 3796 wrote to memory of 1752	3796	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 3796 wrote to memory of 1752	3796	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 3796 wrote to memory of 1752	3796	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 3796 wrote to memory of 1752	3796	aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe	write.exe
PID 1752 wrote to memory of 7484	1752	write.exe	write.exe
PID 1752 wrote to memory of 7484	1752	write.exe	write.exe
PID 1752 wrote to memory of 7484	1752	write.exe	write.exe
PID 1752 wrote to memory of 7484	1752	write.exe	write.exe
PID 1752 wrote to memory of 7484	1752	write.exe	write.exe

C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
"C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\write.exe
C:\Users\Admin\AppData\Local\Temp\aa50a1e524059a4d184933850bc664a6752608a10ba1e876a4802542dc341033.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\write.exe
"C:\Windows\system32\write.exe"
3⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:7484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/1752-133-0x0000000000A40000-0x0000000000B5C000-memory.dmp

Filesize
1.1MB

Download
memory/1752-134-0x0000000000A55B00-mapping.dmp

Download
memory/1752-138-0x0000000000A40000-0x0000000000B5C000-memory.dmp

Filesize
1.1MB

Download
memory/3796-132-0x00000000001B0000-0x00000000002CC000-memory.dmp

Filesize
1.1MB

Download
memory/3796-135-0x00000000001B0000-0x00000000002CC000-memory.dmp

Filesize
1.1MB

Download
memory/7484-137-0x0000000000ED33C0-mapping.dmp

Download
memory/7484-136-0x0000000000EC0000-0x0000000000FDC000-memory.dmp

Filesize
1.1MB

Download
memory/7484-139-0x0000000000E00000-0x0000000000EBB000-memory.dmp

Filesize
748KB

Download
memory/7484-140-0x0000000000E00000-0x0000000000EBB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads