8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f

General

Target

8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
Size

25KB
MD5

89d2df8ec6758be24d8f4dfad9f04af1
SHA1

0f48e6fd47d1781eb06f9811c8cd97ee49a638be
SHA256

8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f
SHA512

ff0184c0bb7b4560d18c4ecd59d84b1be5b80b5de4c29b8616e8838072fccb562342032a97feb97ff659965192844147e037cac07e3dcaba6471cad52880488f
SSDEEP

384:TQagXZPRlOjTh4wdTDRnWAiBUiQSZmG4ge9OslgOSLJlg23f4I7I8XAw:TCwdTDRnnFiQSZigeMs+O+Jlg2QxuAw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fjtbg.exefjtbg.exe

pid process

1264 fjtbg.exe
604 fjtbg.exe
Deletes itself 1 IoCs

Processes:

fjtbg.exe

pid process

604 fjtbg.exe

pid	process
1264	fjtbg.exe
604	fjtbg.exe

pid	process
604	fjtbg.exe

Loads dropped DLL 3 IoCs

Processes:

8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exefjtbg.exe

pid	process
1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
1264	fjtbg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exefjtbg.exe

description	pid	process	target process
PID 1168 set thread context of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1264 set thread context of 604	1264	fjtbg.exe	fjtbg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exefjtbg.exe

description	pid	process	target process
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1168 wrote to memory of 1516	1168	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
PID 1516 wrote to memory of 1264	1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	fjtbg.exe
PID 1516 wrote to memory of 1264	1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	fjtbg.exe
PID 1516 wrote to memory of 1264	1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	fjtbg.exe
PID 1516 wrote to memory of 1264	1516	8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe
PID 1264 wrote to memory of 604	1264	fjtbg.exe	fjtbg.exe

C:\Users\Admin\AppData\Local\Temp\8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
"C:\Users\Admin\AppData\Local\Temp\8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe
"C:\Users\Admin\AppData\Local\Temp\8d71ab765fdf187446aedc65f6a4dc7c579d28d33a02c8f6b3acffc627dd794f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\fjtbg.exe
"C:\Users\Admin\AppData\Local\Temp\fjtbg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\fjtbg.exe
"C:\Users\Admin\AppData\Local\Temp\fjtbg.exe"
4⤵
- Executes dropped EXE
- Deletes itself
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
\Users\Admin\AppData\Local\Temp\fjtbg.exe
Filesize
25KB

MD5
a85c3be51ed5bab2baedc64ac101b318

SHA1
62d4be17735822209981ff001006f4b6ce111947

SHA256
883cd4316017f70a2a37c0a6723c196875b7de7e5bba594fe70c1c75435a0b4c

SHA512
c0ae2b59c28b4bc5fefbfc563dff9fdf056d7f68e984aa6a601a0e2658a915092cba91dda7b3afce0113fef46e3748a58e557f083586b39e9e28d9be228f3a76

Download Submit
memory/1168-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1264-62-0x0000000000000000-mapping.dmp

Download
memory/1264-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1516-58-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1516-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1516-55-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads