5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115

General

Target

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
Size

4.1MB
MD5

bcf2d47e89eae5e561786e67e18944b8
SHA1

8df0dec10fcb6f6ca6127a84f4eb79ee40f77ddd
SHA256

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115
SHA512

56df6ee44deafb76dd781d1e9261076634aeda0a3a04f175e382f3f4f3c417349e5662fec69401e3b2958209f8db270a7fa8a8f5201b6d61a2dd2fb1ef25aa30
SSDEEP

98304:Qzi78zCdEFvizhzP0jkWnQBCfBr/XG5rMBD:qNCaiNAjYkt/XG5rMh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RaiMz8Ebd6kFRGvE.exe

pid process

1152 RaiMz8Ebd6kFRGvE.exe
Loads dropped DLL 1 IoCs

Processes:

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

pid process

992 5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

pid	process
1152	RaiMz8Ebd6kFRGvE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\jagax = "C:\\Users\\Admin\\AppData\\Roaming\\jagax\\FU2j02L3nfu2.exe"	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

pid	process
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

description pid process

Token: SeDebugPrivilege 992 5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

description	pid	process
Token: SeDebugPrivilege	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe
"C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe"
2⤵
- Executes dropped EXE
PID:1152

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 924
2⤵
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe
Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe
Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe
Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
memory/992-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/992-56-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-58-0x0000000000000000-mapping.dmp

Download
memory/1220-62-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	RaiMz8Ebd6kFRGvE.exe
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	dw20.exe
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	dw20.exe
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	dw20.exe
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	dw20.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads