6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f

General

Target

6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
Size

559KB
MD5

7767886f33d05e61fcf1fa4d4e7624dd
SHA1

d80909e4b2ee6caae7c47feac3aa9ac2c8910082
SHA256

6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f
SHA512

8168b78b0a528d9b4dc7ef26bc2b0838300dc65f345bf77baba9892166be299ab17db089f764253219c19b28251988dd25113ca3448d6425af0bb89de70834cf
SSDEEP

12288:3/aUsuYachgVK4vXc+MjRWsx7VCzCGkAUKrrw5z0C5Sytl52:PaUxvxK4vcHWsJgKA5rrwm/yf52

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
972	user.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
972	user.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	user.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	DllHost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27
PID 1948 wrote to memory of 972	1948	6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe	27

C:\Users\Admin\AppData\Local\Temp\6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe
"C:\Users\Admin\AppData\Local\Temp\6700460ad1bf7e93b4119216fe80f2b3d79110612e239bf691f2ee5f93fbda7f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Roaming\user.exe
  "C:\Users\Admin\AppData\Roaming\user.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.ico

Filesize
195KB

MD5
5f68b6c6dd21b1d996b7c16122785654

SHA1
fef3cb7e6a55b0fdbb765c56802422071c0e7024

SHA256
e5b3ab94cd2075853d7fd549a8d38497db44c6ce31c501404ed117ab70b47877

SHA512
e7d1f5c5aeaab577e7280c537100f2c4481703e4f57acf3f129d7b5ba93f994dd56d59ac2019e32115d5c7871ac7df1df6c6976333b5548a04321876c7a5bd46

Download Submit
C:\Users\Admin\AppData\Roaming\User.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
C:\Users\Admin\AppData\Roaming\user.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
\Users\Admin\AppData\Roaming\User.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
\Users\Admin\AppData\Roaming\User.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
\Users\Admin\AppData\Roaming\User.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
\Users\Admin\AppData\Roaming\User.exe

Filesize
94KB

MD5
8c6a3d31c1661c5eef5267ddc71ef1c5

SHA1
fc9676459e851a15f5bda588eb5a6054e93d4497

SHA256
6bf3f7642e4908fbd220931bc6a0deb3c566149e10da3a0b744cb3cdcbd930d7

SHA512
a094573dd8a0844ec280cce8774cb933f76b41d3e2f4a7819e634a38986e87afe9e27908ea9dae718810e3f76c6a8b85e2aeb953adf4a52e8ddd0aabde0f0a45

Download Submit
memory/972-64-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/972-65-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing