b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce

General

Target

b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe
Size

164KB
MD5

af91fd38655cd537653cc35669cfc117
SHA1

4838ffb739a4f8041f71e957f3d9422d4ba4ec19
SHA256

b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce
SHA512

ce3b10049b038b69399795bfa7c2ee95a0a3e3149856a614eb69281e16321dd6f11def2def20dd6f4b506f884e16137ed3fd9ea14c75973a325fd8212840390f
SSDEEP

3072:b1dlKwgj23+Oz05YoNoz9hsUQMvccO+wm8wk5hJv04NvkPtcep:b1dlZro5y9FvccOUUTEt

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
564	1.exe
1860	server.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
704	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1944	b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	1.exe
Token: 33	564	1.exe
Token: SeIncBasePriorityPrivilege	564	1.exe
Token: SeDebugPrivilege	1860	server.exe
Token: 33	1860	server.exe
Token: SeIncBasePriorityPrivilege	1860	server.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 564	1944	b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe	28
PID 1944 wrote to memory of 564	1944	b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe	28
PID 1944 wrote to memory of 564	1944	b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe	28
PID 1944 wrote to memory of 564	1944	b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe	28
PID 564 wrote to memory of 1860	564	1.exe	29
PID 564 wrote to memory of 1860	564	1.exe	29
PID 564 wrote to memory of 1860	564	1.exe	29
PID 1860 wrote to memory of 704	1860	server.exe	30
PID 1860 wrote to memory of 704	1860	server.exe	30
PID 1860 wrote to memory of 704	1860	server.exe	30

C:\Users\Admin\AppData\Local\Temp\b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe
"C:\Users\Admin\AppData\Local\Temp\b3e6df47cba8197b56adf3c6e8584090b8d35402015a57a15905588c6d09ebce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Extracted\1.exe
  "C:\Extracted\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\1.exe

Filesize
139KB

MD5
8b0fc3a9f77771308cae8c369846b8ea

SHA1
a751a8ee54c106216aff82a8ab8e9f4bb423cf3b

SHA256
0227dd5375f9d31236a52b8d6e2c09272f71fbe523aeb4a4a8a01abebd1d819f

SHA512
5ef58964e66cce5c5b40c89b7a8f99c78ea44d7aea502f85985f42400ed13cd11d33cf0d9cc0348a9ac428a4d06297964b87225451cfe505578338408027c6c8

Download Submit
C:\Extracted\1.exe

Filesize
139KB

MD5
8b0fc3a9f77771308cae8c369846b8ea

SHA1
a751a8ee54c106216aff82a8ab8e9f4bb423cf3b

SHA256
0227dd5375f9d31236a52b8d6e2c09272f71fbe523aeb4a4a8a01abebd1d819f

SHA512
5ef58964e66cce5c5b40c89b7a8f99c78ea44d7aea502f85985f42400ed13cd11d33cf0d9cc0348a9ac428a4d06297964b87225451cfe505578338408027c6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
139KB

MD5
8b0fc3a9f77771308cae8c369846b8ea

SHA1
a751a8ee54c106216aff82a8ab8e9f4bb423cf3b

SHA256
0227dd5375f9d31236a52b8d6e2c09272f71fbe523aeb4a4a8a01abebd1d819f

SHA512
5ef58964e66cce5c5b40c89b7a8f99c78ea44d7aea502f85985f42400ed13cd11d33cf0d9cc0348a9ac428a4d06297964b87225451cfe505578338408027c6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
139KB

MD5
8b0fc3a9f77771308cae8c369846b8ea

SHA1
a751a8ee54c106216aff82a8ab8e9f4bb423cf3b

SHA256
0227dd5375f9d31236a52b8d6e2c09272f71fbe523aeb4a4a8a01abebd1d819f

SHA512
5ef58964e66cce5c5b40c89b7a8f99c78ea44d7aea502f85985f42400ed13cd11d33cf0d9cc0348a9ac428a4d06297964b87225451cfe505578338408027c6c8

Download Submit
\Extracted\1.exe

Filesize
139KB

MD5
8b0fc3a9f77771308cae8c369846b8ea

SHA1
a751a8ee54c106216aff82a8ab8e9f4bb423cf3b

SHA256
0227dd5375f9d31236a52b8d6e2c09272f71fbe523aeb4a4a8a01abebd1d819f

SHA512
5ef58964e66cce5c5b40c89b7a8f99c78ea44d7aea502f85985f42400ed13cd11d33cf0d9cc0348a9ac428a4d06297964b87225451cfe505578338408027c6c8

Download Submit
memory/564-60-0x000007FEF2770000-0x000007FEF3806000-memory.dmp

Filesize
16.6MB

Download
memory/564-61-0x000007FEFBBC1000-0x000007FEFBBC3000-memory.dmp

Filesize
8KB

Download
memory/564-59-0x000007FEF3C60000-0x000007FEF4683000-memory.dmp

Filesize
10.1MB

Download
memory/1860-65-0x000007FEF49B0000-0x000007FEF53D3000-memory.dmp

Filesize
10.1MB

Download
memory/1860-66-0x000007FEF2710000-0x000007FEF37A6000-memory.dmp

Filesize
16.6MB

Download
memory/1944-54-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing