25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78

General

Target

25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
Size

1.4MB
MD5

e99b0f4ac83829976031376597265b17
SHA1

ff1361dc47549b0755465ddfb2167bc58ce4cf3c
SHA256

25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78
SHA512

0fdd410142270ff77a5df5724d46e9109c97516bf81765436807aed08ade4182273a6c1a465eda41512f85551f304615ae7ad98ff5a47ca44fdf424b67cdc9c0
SSDEEP

24576:vH35Z0pILwMVyYUgCuWnTg9bvKWZkQdOyDfSki+aRi1lnh4cbQg0QfqfqHjYI6c5:P56pqwMVy5XM9dZdad5Ri1lh30QCal6k

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Loads dropped DLL 3 IoCs

pid	Process
1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
1708	DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1708	1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe	26
PID 1612 wrote to memory of 1708	1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe	26
PID 1612 wrote to memory of 1708	1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe	26
PID 1612 wrote to memory of 1708	1612	25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe	26

C:\Users\Admin\AppData\Local\Temp\25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
"C:\Users\Admin\AppData\Local\Temp\25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Filesize
1.4MB

MD5
4718fa8f7f0571df062c6a7d23e2d063

SHA1
59e651ef81dedbf02ec03c09bf5890b2541bf4c0

SHA256
38ae5d53f284b63cecd0bd84c940bd25de83463ccab8ce5589a37c52b2fe2c5d

SHA512
fa611a98aac5c5b29a2cf53e93d0335a84c322f194a5424e53ba4cb2516eabcfa60e104a024c6c0b63db5cc5edb6127df846182c5a38b586f7a6826d72f86233

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Filesize
1.4MB

MD5
4718fa8f7f0571df062c6a7d23e2d063

SHA1
59e651ef81dedbf02ec03c09bf5890b2541bf4c0

SHA256
38ae5d53f284b63cecd0bd84c940bd25de83463ccab8ce5589a37c52b2fe2c5d

SHA512
fa611a98aac5c5b29a2cf53e93d0335a84c322f194a5424e53ba4cb2516eabcfa60e104a024c6c0b63db5cc5edb6127df846182c5a38b586f7a6826d72f86233

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\D1989.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\DC25d6c760f5556191d8afabd65d78e7afe80572539ef5e6733ca23f8c85e85f78.exe

Filesize
1.4MB

MD5
4718fa8f7f0571df062c6a7d23e2d063

SHA1
59e651ef81dedbf02ec03c09bf5890b2541bf4c0

SHA256
38ae5d53f284b63cecd0bd84c940bd25de83463ccab8ce5589a37c52b2fe2c5d

SHA512
fa611a98aac5c5b29a2cf53e93d0335a84c322f194a5424e53ba4cb2516eabcfa60e104a024c6c0b63db5cc5edb6127df846182c5a38b586f7a6826d72f86233

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7D4D.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing