59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c

General

Target

59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe
Size

477KB
MD5

42ff9c3462c641475346b60f83ffcd00
SHA1

916ddb2058db619cca6fd3a20db0ced7d26845f3
SHA256

59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c
SHA512

2b6b771a15fe2980336d2c2c81892ecadbfd317271e6af5f8bcf27f3007afff35016dcdc39b337c67d35ec058b699a5504626948a58e6d2dabe55a2609bbadc6
SSDEEP

12288:9PTveekpmU2GxQA5dZWkZK6nPqM+WcD4ellNrr/T:9I24QAhWhWMHD4MlNHT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	taabc.exe
1276	jekis.exe

Deletes itself 1 IoCs

pid	Process
1128	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe
1480	taabc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe
1276	jekis.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1480	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	28
PID 864 wrote to memory of 1480	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	28
PID 864 wrote to memory of 1480	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	28
PID 864 wrote to memory of 1480	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	28
PID 864 wrote to memory of 1128	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	29
PID 864 wrote to memory of 1128	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	29
PID 864 wrote to memory of 1128	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	29
PID 864 wrote to memory of 1128	864	59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe	29
PID 1480 wrote to memory of 1276	1480	taabc.exe	31
PID 1480 wrote to memory of 1276	1480	taabc.exe	31
PID 1480 wrote to memory of 1276	1480	taabc.exe	31
PID 1480 wrote to memory of 1276	1480	taabc.exe	31

C:\Users\Admin\AppData\Local\Temp\59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe
"C:\Users\Admin\AppData\Local\Temp\59299eed7846305181d535980ad7ba88cad30b40691ab961e70dd875fc16ee4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\taabc.exe
  "C:\Users\Admin\AppData\Local\Temp\taabc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\jekis.exe
    "C:\Users\Admin\AppData\Local\Temp\jekis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a6354dbe7271db98c75839f850c4c2eb

SHA1
767e76a4858117a16573a93a4b2c31d2b580adb6

SHA256
020ebd6ff02e0824ef2d4c5dcd4ac9f20d02136658da19e672709b7af6ec39a4

SHA512
543b7db3b8f29ee3abc4c3b5fca45973d896dfddfce92399e66b93f992c9888b53bf16bc7a57072747341f87b89fde2e434ff5d1c9f92e2d0cbc80bd352071d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c5003cde143378a2643bd3ec93f7a2dd

SHA1
6ba5873f08671738175f753266d7484f9911a1c0

SHA256
7d132acb9e93733e84307fcbb08c7d069a386c6f8db1759a5a083578fb6d58d8

SHA512
938d2ed72754b322df504e7a10bebe492ac27bb535ac5f4a23ce5e0337f4bd1ef98292e14ade48603d594a3ee4c152a0041029a95d0d3773a013078a3fa31f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jekis.exe

Filesize
236KB

MD5
92d5e8ad961ea9be224f346be82ec58f

SHA1
d0811e7b956ba798a192b09db9d8bd8b79761190

SHA256
d2c2134f2630eed4e2fcd65d63b2f791e09e2023b894563b4188f49499bedd82

SHA512
762232521a9777e76d51b219c6dfa1d7ececeb0b342dc93745735c9e920bab35ff26a3d17641df6dcf09e251a1c9123d98d4778367bb0c0119419f8452e9e6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\taabc.exe

Filesize
477KB

MD5
2fc1159daaac37c39669aa8842afa49f

SHA1
5ebc118b18f5000a0cd7966b5afb5fbb041fb7b6

SHA256
9d75949c7d2fa1bf40bbf4829a1acc52a9416a79e0a8e175425a5449e8e19965

SHA512
8704b7d144b879839071886e019265319965ed49333c33bb92743c804b631b5ce2d36e0dd9cc46f4046470e7a8a0c78aea76d516623118bbe900cbeccbc09283

Download Submit
C:\Users\Admin\AppData\Local\Temp\taabc.exe

Filesize
477KB

MD5
2fc1159daaac37c39669aa8842afa49f

SHA1
5ebc118b18f5000a0cd7966b5afb5fbb041fb7b6

SHA256
9d75949c7d2fa1bf40bbf4829a1acc52a9416a79e0a8e175425a5449e8e19965

SHA512
8704b7d144b879839071886e019265319965ed49333c33bb92743c804b631b5ce2d36e0dd9cc46f4046470e7a8a0c78aea76d516623118bbe900cbeccbc09283

Download Submit
\Users\Admin\AppData\Local\Temp\jekis.exe

Filesize
236KB

MD5
92d5e8ad961ea9be224f346be82ec58f

SHA1
d0811e7b956ba798a192b09db9d8bd8b79761190

SHA256
d2c2134f2630eed4e2fcd65d63b2f791e09e2023b894563b4188f49499bedd82

SHA512
762232521a9777e76d51b219c6dfa1d7ececeb0b342dc93745735c9e920bab35ff26a3d17641df6dcf09e251a1c9123d98d4778367bb0c0119419f8452e9e6c1

Download Submit
\Users\Admin\AppData\Local\Temp\taabc.exe

Filesize
477KB

MD5
2fc1159daaac37c39669aa8842afa49f

SHA1
5ebc118b18f5000a0cd7966b5afb5fbb041fb7b6

SHA256
9d75949c7d2fa1bf40bbf4829a1acc52a9416a79e0a8e175425a5449e8e19965

SHA512
8704b7d144b879839071886e019265319965ed49333c33bb92743c804b631b5ce2d36e0dd9cc46f4046470e7a8a0c78aea76d516623118bbe900cbeccbc09283

Download Submit
memory/864-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-61-0x0000000000AD0000-0x0000000000B5C000-memory.dmp

Filesize
560KB

Download
memory/864-55-0x0000000000AD0000-0x0000000000B5C000-memory.dmp

Filesize
560KB

Download
memory/1276-71-0x0000000000100000-0x00000000001A3000-memory.dmp

Filesize
652KB

Download
memory/1480-69-0x0000000000A30000-0x0000000000ABC000-memory.dmp

Filesize
560KB

Download
memory/1480-66-0x0000000003340000-0x00000000033E3000-memory.dmp

Filesize
652KB

Download
memory/1480-63-0x0000000000A30000-0x0000000000ABC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing