84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3

General

Target

84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
Size

197KB
MD5

38262b236ea57077607ca45de782444d
SHA1

a64efbbc830250c260ffc672ae145a5e2e8720e6
SHA256

84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3
SHA512

b74d7b0595c4614cf9446e96a132b52cc91816129afcc480c5e30d550765b5dcd06010c129ad37ddf38b06c699dd5456cdb9a9248dd1d6594f73ec90f8c9b6ff
SSDEEP

3072:vb8M3FrKwqfEFvzrFTbtcdXNDe9IlCab0H+HZtVdxFUCeyrtoz0poQj+cDK0:vAMpKSXVhcuM0H8ZtVqCe5zS+cO

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe

Executes dropped EXE 1 IoCs

pid	Process
1456	volmgr.exe

Deletes itself 1 IoCs

pid	Process
1456	volmgr.exe

Loads dropped DLL 3 IoCs

pid	Process
852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
1456	volmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\volmgr = "C:\\Users\\Admin\\AppData\\Local\\volmgr.exe"	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
1456	volmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1456	852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe	28
PID 852 wrote to memory of 1456	852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe	28
PID 852 wrote to memory of 1456	852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe	28
PID 852 wrote to memory of 1456	852	84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe	28

C:\Users\Admin\AppData\Local\Temp\84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
"C:\Users\Admin\AppData\Local\Temp\84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\volmgr.exe
  "C:\Users\Admin\AppData\Local\volmgr.exe" C:\Users\Admin\AppData\Local\Temp\84872753d6c8469aee7fe4a68d24784832b29474b2f4a2f7e64a8f6afffe65f3.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of UnmapMainImage
  PID:1456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55CF.tmp

Filesize
76KB

MD5
49d1c8b87986868f9cf72a0f9029900d

SHA1
20a911c914c06b97d81189b8c44235b16545caa2

SHA256
fb472f7575b234c6ae2dc458a0d0434598ae1a680aeb8757c485e6ca54a08bcc

SHA512
ea5bbcaf36250656f09f70c59d0e8ba0bbea7e57b0fe142a36a97b88e85108733f7aba24c731687076b8a87e655cefbf138f609c3ad3f7df54fec5b35468bcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\55D0.tmp

Filesize
77KB

MD5
2ca923542735c751f8893161c0801be3

SHA1
10e9fd5b514b12a66a17695ab0fe6a0431dfc5bb

SHA256
efda28260a5bd35589e1c37400cabe2f6b81a9b1a52849ea9364ed40b556651f

SHA512
64ec7923acf8f18582d59864e950c4739ba5ca906ae51f36f0e9f792a006e9aeefe7011078edd0b9e52214c6bfe3ac164bc80d01bbb4fb789a69192711f3744c

Download Submit
C:\Users\Admin\AppData\Local\volmgr.dll

Filesize
77KB

MD5
2ca923542735c751f8893161c0801be3

SHA1
10e9fd5b514b12a66a17695ab0fe6a0431dfc5bb

SHA256
efda28260a5bd35589e1c37400cabe2f6b81a9b1a52849ea9364ed40b556651f

SHA512
64ec7923acf8f18582d59864e950c4739ba5ca906ae51f36f0e9f792a006e9aeefe7011078edd0b9e52214c6bfe3ac164bc80d01bbb4fb789a69192711f3744c

Download Submit
C:\Users\Admin\AppData\Local\volmgr.exe

Filesize
76KB

MD5
49d1c8b87986868f9cf72a0f9029900d

SHA1
20a911c914c06b97d81189b8c44235b16545caa2

SHA256
fb472f7575b234c6ae2dc458a0d0434598ae1a680aeb8757c485e6ca54a08bcc

SHA512
ea5bbcaf36250656f09f70c59d0e8ba0bbea7e57b0fe142a36a97b88e85108733f7aba24c731687076b8a87e655cefbf138f609c3ad3f7df54fec5b35468bcc9

Download Submit
C:\Users\Admin\AppData\Local\volmgr.exe

Filesize
76KB

MD5
49d1c8b87986868f9cf72a0f9029900d

SHA1
20a911c914c06b97d81189b8c44235b16545caa2

SHA256
fb472f7575b234c6ae2dc458a0d0434598ae1a680aeb8757c485e6ca54a08bcc

SHA512
ea5bbcaf36250656f09f70c59d0e8ba0bbea7e57b0fe142a36a97b88e85108733f7aba24c731687076b8a87e655cefbf138f609c3ad3f7df54fec5b35468bcc9

Download Submit
\Users\Admin\AppData\Local\volmgr.dll

Filesize
77KB

MD5
2ca923542735c751f8893161c0801be3

SHA1
10e9fd5b514b12a66a17695ab0fe6a0431dfc5bb

SHA256
efda28260a5bd35589e1c37400cabe2f6b81a9b1a52849ea9364ed40b556651f

SHA512
64ec7923acf8f18582d59864e950c4739ba5ca906ae51f36f0e9f792a006e9aeefe7011078edd0b9e52214c6bfe3ac164bc80d01bbb4fb789a69192711f3744c

Download Submit
\Users\Admin\AppData\Local\volmgr.exe

Filesize
76KB

MD5
49d1c8b87986868f9cf72a0f9029900d

SHA1
20a911c914c06b97d81189b8c44235b16545caa2

SHA256
fb472f7575b234c6ae2dc458a0d0434598ae1a680aeb8757c485e6ca54a08bcc

SHA512
ea5bbcaf36250656f09f70c59d0e8ba0bbea7e57b0fe142a36a97b88e85108733f7aba24c731687076b8a87e655cefbf138f609c3ad3f7df54fec5b35468bcc9

Download Submit
\Users\Admin\AppData\Local\volmgr.exe

Filesize
76KB

MD5
49d1c8b87986868f9cf72a0f9029900d

SHA1
20a911c914c06b97d81189b8c44235b16545caa2

SHA256
fb472f7575b234c6ae2dc458a0d0434598ae1a680aeb8757c485e6ca54a08bcc

SHA512
ea5bbcaf36250656f09f70c59d0e8ba0bbea7e57b0fe142a36a97b88e85108733f7aba24c731687076b8a87e655cefbf138f609c3ad3f7df54fec5b35468bcc9

Download Submit
memory/852-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/852-60-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/852-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/852-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1456-64-0x0000000000000000-mapping.dmp

Download
memory/1456-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1456-67-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1456-70-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing