5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac

General

Target

5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
Size

193KB
MD5

f8e64b6d0eee0b6806984c6452368e97
SHA1

026c28e7cd3fc181520517a40841d0d59926bbcc
SHA256

5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac
SHA512

b60eadfda105343ca9cfa8f424328a06c54257492d6ee74896d923607ba07012e0c9f81a09bfcd6e227fdbb555b111df086d339fc643b3b8ca027d23de48b335
SSDEEP

6144:ULHAjWhKHQjFOlTFYlMCARRTqfbOSL5IXKZV0I:ULHAjWhKHQjFOlTFYlMCARRTqfbOSL5F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1360	sara.exe
1692	sara.exe

Loads dropped DLL 3 IoCs

pid	Process
2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
1360	sara.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 1692	1360	sara.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	sara.exe
1692	sara.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1748	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1360	sara.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1360	2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	28
PID 2004 wrote to memory of 1360	2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	28
PID 2004 wrote to memory of 1360	2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	28
PID 2004 wrote to memory of 1360	2004	5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe	28
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1360 wrote to memory of 1692	1360	sara.exe	29
PID 1692 wrote to memory of 1264	1692	sara.exe	11
PID 1692 wrote to memory of 1264	1692	sara.exe	11
PID 1692 wrote to memory of 1264	1692	sara.exe	11
PID 1692 wrote to memory of 1264	1692	sara.exe	11

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe
  "C:\Users\Admin\AppData\Local\Temp\5303eb9a220cb71e97d9ee32d73e8b4ad01d81e55128056862ba7d0924c400ac.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\sara.exe
    "C:\Users\Admin\AppData\Local\Temp\sara.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\sara.exe
      C:\Users\Admin\AppData\Local\Temp\sara.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CaptureWiz093.jpg

Filesize
7KB

MD5
a03f2cdd689b725f3048e5340f97c994

SHA1
d263b6a136e21d70b686330ca6c4077291f6c021

SHA256
2ac552741fdefa49691f6db98e48d8928fee43b3ca464ca5977b6be5831a1eac

SHA512
03e1bb2d2d054a8abadab87a2aeaf1e17802a41c9ee5a5f34f8764ddb30c04de9072dc28d0228db28f00fd325737ea19f1e86e46442a5bfadb970da346ed1ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
\Users\Admin\AppData\Local\Temp\sara.exe

Filesize
172KB

MD5
92afe8826dc2cd04907227deedc06eb9

SHA1
79ceec9a37bd09861a8cd0a460097beb5d987bb5

SHA256
65132313e6fcbd44ae53a3f7b5725bd5736b115b46e2b7785c01b633812fd1ac

SHA512
3dda37e126d5b169b28d855a06aa5bb74f895965e8574a1a6da9d9963eaf16e79d8a2bc8791b2166abd9226c204a29556e958d299c10ef2e6e90f297d3a47c32

Download Submit
memory/1264-71-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1692-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1692-68-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1692-74-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2004-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing