ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8

General

Target

ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe
Size

166KB
MD5

fbb00fc1a5e149676d9a1a923b4423fb
SHA1

91773405d8fea63770a5c415547e2f3d33fb6c4f
SHA256

ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8
SHA512

ff9d45c8472465e8a121e6f73d3a4c209cae31841b351f276b0dfcbb6d546feef0b64340f2dccb3f3084359924b6467f0fb0c06f26aa83c7953169bc37ebef83
SSDEEP

3072:D1dlKwgj23+Oz05YoNozOcx27YfXNh+WWbvDp2qW:D1dlZro5ykuElvD0T

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1516	1.exe
572	1.exe

Loads dropped DLL 2 IoCs

pid	Process
520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe
520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 572	1516	1.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	1.exe
572	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1516	1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 1516	520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe	28
PID 520 wrote to memory of 1516	520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe	28
PID 520 wrote to memory of 1516	520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe	28
PID 520 wrote to memory of 1516	520	ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe	28
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 1516 wrote to memory of 572	1516	1.exe	29
PID 572 wrote to memory of 1372	572	1.exe	15
PID 572 wrote to memory of 1372	572	1.exe	15
PID 572 wrote to memory of 1372	572	1.exe	15
PID 572 wrote to memory of 1372	572	1.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe
  "C:\Users\Admin\AppData\Local\Temp\ae63174bb1e1e471c3efc494fb985cc4b3978a1311f6f38469620f61acf19bc8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Extracted\1.exe
    "C:\Extracted\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Extracted\1.exe
      "C:\Extracted\1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\1.exe

Filesize
160KB

MD5
aae65473fc3946adbcca02e6a310ec79

SHA1
fbfa1b8ffa0ecf9d2b11835dc46b568cfc591280

SHA256
c3abe983be0f18b9326994cf1d406d2ae0c0f8ac517b361a9d26e0d1ddadeee3

SHA512
695112fbe9d4e768e898b676752b863ad7802c31a98b21cb00390213bea41abae2e4ff24786ec0e809aeb4fe1cf8ca105ab3c0349bbe86ef79d2a1082851cea2

Download Submit
C:\Extracted\1.exe

Filesize
160KB

MD5
aae65473fc3946adbcca02e6a310ec79

SHA1
fbfa1b8ffa0ecf9d2b11835dc46b568cfc591280

SHA256
c3abe983be0f18b9326994cf1d406d2ae0c0f8ac517b361a9d26e0d1ddadeee3

SHA512
695112fbe9d4e768e898b676752b863ad7802c31a98b21cb00390213bea41abae2e4ff24786ec0e809aeb4fe1cf8ca105ab3c0349bbe86ef79d2a1082851cea2

Download Submit
C:\Extracted\1.exe

Filesize
160KB

MD5
aae65473fc3946adbcca02e6a310ec79

SHA1
fbfa1b8ffa0ecf9d2b11835dc46b568cfc591280

SHA256
c3abe983be0f18b9326994cf1d406d2ae0c0f8ac517b361a9d26e0d1ddadeee3

SHA512
695112fbe9d4e768e898b676752b863ad7802c31a98b21cb00390213bea41abae2e4ff24786ec0e809aeb4fe1cf8ca105ab3c0349bbe86ef79d2a1082851cea2

Download Submit
C:\Extracted\th_14298_43978706_123_384lo.jpg

Filesize
13KB

MD5
00a0710446e09b19c8a74d25b303857e

SHA1
ef34bb82ab18a55a8a43683bd17d0f626fbb771e

SHA256
3373bcea7a5b156c7f6618f3acb74aedde58db5bb9b0f4b68199f6e7256a868c

SHA512
15a88242417c313ab8f5b35ca1cf600647ef75a95a0e31cbe02cae016605fae4960dad4b53e064d6478e6cc8f5c5b1a63287b4d843868ae65643a3bdf334fdae

Download Submit
\Extracted\1.exe

Filesize
160KB

MD5
aae65473fc3946adbcca02e6a310ec79

SHA1
fbfa1b8ffa0ecf9d2b11835dc46b568cfc591280

SHA256
c3abe983be0f18b9326994cf1d406d2ae0c0f8ac517b361a9d26e0d1ddadeee3

SHA512
695112fbe9d4e768e898b676752b863ad7802c31a98b21cb00390213bea41abae2e4ff24786ec0e809aeb4fe1cf8ca105ab3c0349bbe86ef79d2a1082851cea2

Download Submit
\Extracted\1.exe

Filesize
160KB

MD5
aae65473fc3946adbcca02e6a310ec79

SHA1
fbfa1b8ffa0ecf9d2b11835dc46b568cfc591280

SHA256
c3abe983be0f18b9326994cf1d406d2ae0c0f8ac517b361a9d26e0d1ddadeee3

SHA512
695112fbe9d4e768e898b676752b863ad7802c31a98b21cb00390213bea41abae2e4ff24786ec0e809aeb4fe1cf8ca105ab3c0349bbe86ef79d2a1082851cea2

Download Submit
memory/520-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/572-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/572-66-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/572-71-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1372-68-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing