6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3

General

Target

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
Size

525KB
MD5

1eb2572c36afe1832732413fcec49bbe
SHA1

cd9b8f19cc582920b6163bb2a58ed13a37e73b56
SHA256

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3
SHA512

72e4aa9a33982677662126f466093e190d4c6fd93793f406427669f245a532a8ae756ddc0a9f9931481a820dd206439fb3d6da8193d483eb5412b6c96de66de5
SSDEEP

6144:C9J623cdUmR7W6XKDla2nf9PzuDorEDGgrpO2gd2k4xsMiGAv5NIseImC:CJZMPQlakoBrEmBxed5NIse

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ere.exe

pid process

1972 ere.exe

pid	process
1972	ere.exe

Loads dropped DLL 5 IoCs

Processes:

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exedw20.exe

pid	process
2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
1976	dw20.exe
1976	dw20.exe
1976	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1976 dw20.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

844 DllHost.exe

pid	process
1976	dw20.exe

pid	process
844	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exeere.exe

description	pid	process	target process
PID 2040 wrote to memory of 1972	2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 2040 wrote to memory of 1972	2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 2040 wrote to memory of 1972	2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 2040 wrote to memory of 1972	2040	6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe	ere.exe
PID 1972 wrote to memory of 1976	1972	ere.exe	dw20.exe
PID 1972 wrote to memory of 1976	1972	ere.exe	dw20.exe
PID 1972 wrote to memory of 1976	1972	ere.exe	dw20.exe
PID 1972 wrote to memory of 1976	1972	ere.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe
"C:\Users\Admin\AppData\Local\Temp\6398d91815d64fb372c0125f7b53ac74788ae7c80ac704e1b6ab2e327042eac3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\ere.exe
"C:\Users\Admin\AppData\Local\Temp\ere.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 412
3⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1976

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1082326_1404973333057407_762499852_n.ico
Filesize
14KB

MD5
16477cfb50872f28b4d12d54afbfb476

SHA1
ef3b2e3e7f6291a3e776c11d278494cf746b2dcf

SHA256
4a012d1c225dbfe732428a1b38629a71bf96bb83191a1120f419fa5dcc733ba3

SHA512
41341d512992c78bd0b9287b5b10af380030d1a0d16fb97b750ee784d3732257af3ebd68281c3ab923c3f3f471be2ec7d9f437e9865475571cb0ed385541ed4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
\Users\Admin\AppData\Local\Temp\ere.exe
Filesize
485KB

MD5
a82944e62f537c142db0466278b41d60

SHA1
e9fc831042633e0865b8c3ee88ec0e114abe94f9

SHA256
7ae0c9441bcd1c1b6e313ac04d3ce923bae431670b6b98eff63f9dc5c2a13fb4

SHA512
d74e7745500ecabfc27f1f3eb4ac1ce1e1b8f745cb1179282f818c3b8a8f2f96c054f91fa8be059df0e41853243524eb734d2a4c8cb3a427a120e8936281aeaf

Download Submit
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/1972-65-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-68-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing