8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e

General

Target

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe
Size

257KB
MD5

d1684b36d2fcc59f479c7bc2b016fe68
SHA1

6c99aa9f85e52f36a3b2a30ee134af62e63cae4f
SHA256

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e
SHA512

7d1d89d856cc0f29ef346776fb25fed5210b05c4f79bc3298225e23456a5c98f722da6efa7474e60b6ca5de9509ff276c7827637f84101d26e4b751abbdbea54
SSDEEP

3072:2zqDfnQogw8u6FIJp+fsSmJU8zhrLH/s:2unQZRFSp+fsVU8zhrA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2222.exe

pid process

2000 2222.exe

pid	process
2000	2222.exe

Loads dropped DLL 2 IoCs

Processes:

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe

pid	process
2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe
2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2222.exe

pid process

2000 2222.exe
2000 2222.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2008 DllHost.exe

pid	process
2000	2222.exe
2000	2222.exe

pid	process
2008	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe2222.exe

description	pid	process	target process
PID 2044 wrote to memory of 2000	2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 2044 wrote to memory of 2000	2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 2044 wrote to memory of 2000	2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 2044 wrote to memory of 2000	2044	8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe	2222.exe
PID 2000 wrote to memory of 1268	2000	2222.exe	Explorer.EXE
PID 2000 wrote to memory of 1268	2000	2222.exe	Explorer.EXE
PID 2000 wrote to memory of 1268	2000	2222.exe	Explorer.EXE
PID 2000 wrote to memory of 1268	2000	2222.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe
"C:\Users\Admin\AppData\Local\Temp\8f8521e2f2cdab5f6cd7584e64baf977e48fd0df23fb87dc70056afafb6c178e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\2222.exe
"C:\Users\Admin\AppData\Local\Temp\2222.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
C:\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
C:\Users\Admin\AppData\Local\Temp\íÇÑÇ.jpg
Filesize
27KB

MD5
18a74aceb07820641aa0aaab3e0bd853

SHA1
36de5c7004875831c6c7593f7a842da7422e2200

SHA256
071325e12f85bf3f393655d299f72111c94c6f786dee3130952e7f17f2a806e4

SHA512
c0fc3e39d1875fe2769ed42473a1dcfd0f1b8007f9cd7c82a0df2bb5d182c8eb2db16b0422bcc1dc2bd1f2741e9dca0246fd9c95d7ad6aff6e1e5e5a0a8f3033

Download Submit
\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
\Users\Admin\AppData\Local\Temp\2222.exe
Filesize
88KB

MD5
fa0950aa860c11e910b13e9b4bdc6535

SHA1
db84d0260db987087d6752ff24a867fc4873c90e

SHA256
abe90dc1153b73c2d0a06692dcbb0e01b8132d9cc5527895945c47273ff1ada0

SHA512
5fe93d5b97fccc092c06535401ae8a8464a5b6bf7293a63edb96eefcc37c07ddcc34513432926a15b5f437851efb47abcdb759ebb0bcf041d53dd48e44b00716

Download Submit
memory/1268-64-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2000-57-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2000-67-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2000-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2044-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing