e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f

General

Target

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
Size

108KB
MD5

98daa70ab692915a467779877727cf39
SHA1

dafb5dfb3eac517c342958404f99852e670b0fca
SHA256

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f
SHA512

4bdc419df084ffa1366c05a14610f5ca210c0d42feb0e8318012bb263cf23202c10075258e8217ff3da1452942016651d2ca0df6d7e53df7d25fa78d13bd9e9b
SSDEEP

3072:W4x9Pri16G04TQhl7Z2382rlkTUbzsasOk8ljrxeFFEK4:W4XO1F01hlA8YlJAa5k8ljtL

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

diffenable.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	diffenable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

diffenable.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadNetworkName = "Network 2"	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce	diffenable.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecisionTime = 80a214e97b06d901	diffenable.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	diffenable.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	diffenable.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadDecisionReason = "1"	diffenable.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadDecisionTime = 80a214e97b06d901	diffenable.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadDecision = "0"	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	diffenable.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\a6-17-aa-63-f9-ce	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	diffenable.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	diffenable.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	diffenable.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	diffenable.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0016000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	diffenable.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecisionReason = "1"	diffenable.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecision = "0"	diffenable.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	diffenable.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

diffenable.exe

pid process

1268 diffenable.exe
1268 diffenable.exe
1268 diffenable.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

pid process

1332 e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

pid	process
1268	diffenable.exe
1268	diffenable.exe
1268	diffenable.exe

pid	process
1332	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exee845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exediffenable.exediffenable.exe

pid	process
1760	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
1332	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
1236	diffenable.exe
1268	diffenable.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exediffenable.exe

description	pid	process	target process
PID 1760 wrote to memory of 1332	1760	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 1760 wrote to memory of 1332	1760	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 1760 wrote to memory of 1332	1760	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 1760 wrote to memory of 1332	1760	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe	e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
PID 1236 wrote to memory of 1268	1236	diffenable.exe	diffenable.exe
PID 1236 wrote to memory of 1268	1236	diffenable.exe	diffenable.exe
PID 1236 wrote to memory of 1268	1236	diffenable.exe	diffenable.exe
PID 1236 wrote to memory of 1268	1236	diffenable.exe	diffenable.exe

C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
"C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\e845e5c7d95b80e85fe3c3c1875ca165b2f033221b4255b313c40d4ff82d832f.exe
--a9ad73a8
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1332

C:\Windows\SysWOW64\diffenable.exe
"C:\Windows\SysWOW64\diffenable.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\diffenable.exe
--14f42e9a
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1268-60-0x0000000000000000-mapping.dmp

Download
memory/1268-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1332-55-0x0000000000000000-mapping.dmp

Download
memory/1332-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1332-59-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1332-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1760-54-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1760-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1760-56-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads