14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72

General

Target

14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
Size

518KB
MD5

ac11eb72ce91ac8c2b066612be8e2ef8
SHA1

d8d10f4dfe4049f0e510c3b98d79e013660d2a4a
SHA256

14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72
SHA512

87197a5d8067dc01acd894eb735d80e3937288909ff6d300af76511030dba92ecfae9af3feaac7a4e17413cbdc211fa2fd54a7c079a554049b91d2faa5871723
SSDEEP

12288:WuoxwConp+xd89eXSsoeKgiJy97EX3vfLBukxxn4cO7q/QzwqML1U7EJ:Wjxwpp+xauSsX0RnvfLZx4cO71MqCr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3484	Launcher.exe
2744	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Loads dropped DLL 1 IoCs

pid	Process
1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3484	1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	83
PID 1824 wrote to memory of 3484	1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	83
PID 1824 wrote to memory of 3484	1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	83
PID 1824 wrote to memory of 2744	1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	84
PID 1824 wrote to memory of 2744	1824	14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe	84

C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
"C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\Launcher.exe /in="e14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe" /out="14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe" /psw="325e8b726dd04e16ad27a069215a215f" /typ=dec
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe
  C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe /path="C:\Users\Admin\AppData\Local\Temp\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
ef17d11b2024201fa14abdf44d18606d

SHA1
07a035a5743f2f6e50d898e2691d0c728d9d482c

SHA256
d4fe14ffa0ead1fbaffee535f198d0e247e1856f151255837f46757c913469ea

SHA512
ec23667ba1c6f50c1a61eb4905fec237f8a6aaa20cfbfed242790f3db87dc9434f9580450856a6563ede684ae360a6095f05f2d1a3d3d56e4bad3c20108dc5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
ef17d11b2024201fa14abdf44d18606d

SHA1
07a035a5743f2f6e50d898e2691d0c728d9d482c

SHA256
d4fe14ffa0ead1fbaffee535f198d0e247e1856f151255837f46757c913469ea

SHA512
ec23667ba1c6f50c1a61eb4905fec237f8a6aaa20cfbfed242790f3db87dc9434f9580450856a6563ede684ae360a6095f05f2d1a3d3d56e4bad3c20108dc5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe.config

Filesize
690B

MD5
bca0ea75b6940aa86960d7b9098a5998

SHA1
3d57f82158ac72c7eb2e72ba19a80485d8103130

SHA256
5a494295936d2170433864b449257bbac7b976413811a0b6339e37f83a891f8d

SHA512
260a05c509d874239a27798421ee75ac7e2bbc0d2a0485122740e8b8adcd8f43f98f7633cef278d9f7f4a132633b4b1cdf4b641e2233e891dce2d6eb6e75c3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\Launcher.exe

Filesize
104KB

MD5
079afdb2d8e7ba0148739644baa2d96b

SHA1
e2a50f8f5ed71b910cc56f72b6a8972ff03aa814

SHA256
9c12d7b7dfb5658475251c0a90f2f733fcd2a6c43f4d94f3f82e9f03693e772d

SHA512
b03f17c57868f0987632895ec1413a4c64a61f1bc38d6035ad5fd44114bfedf431a97abc22e7027967ca50a614f72c798ef1960ea718b08993854115718883d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\Launcher.exe

Filesize
104KB

MD5
079afdb2d8e7ba0148739644baa2d96b

SHA1
e2a50f8f5ed71b910cc56f72b6a8972ff03aa814

SHA256
9c12d7b7dfb5658475251c0a90f2f733fcd2a6c43f4d94f3f82e9f03693e772d

SHA512
b03f17c57868f0987632895ec1413a4c64a61f1bc38d6035ad5fd44114bfedf431a97abc22e7027967ca50a614f72c798ef1960ea718b08993854115718883d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\Launcher.exe.config

Filesize
340B

MD5
91629f6b28cbe2b52bb86cb5af3bdbca

SHA1
35fb57ac58c9eb0668f5832a588d9f81e040568b

SHA256
589c122996fadc118731c6f983c5d3b498c4b4b59700ea548f4cfb79e4eaaeeb

SHA512
f08382296696173784841a163c73c19e7bd674a08a053c0434d55696f45039721925e5d829e4bbbf71b07385d1b88c5ea241b8247eb0d81bf381205977bd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DM\14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe\b8PcPFMb3x3SRJ8\e14876c88a1a73ea97eb28fb59b5a322203b2ae03944304d977533211c77a5e72.exe

Filesize
388KB

MD5
9d46c414841671ec396f6e8b80427911

SHA1
2fd7aa3016d974b18ddbff20ec2e6006a0066993

SHA256
0b4af485e10fe21f6c592944f89c38e57a65f3a8c3b3bd0ac0f3b58a9dec9af7

SHA512
fca64190f765129554b77085beddabfd174668fd7c5db506a03a2254d314f7560c99c94f1f6715fbb846485ce951683faf4604df77d9ee3b068cbc6b15c78227

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
memory/2744-144-0x00007FFF1AB90000-0x00007FFF1B5C6000-memory.dmp

Filesize
10.2MB

Download
memory/3484-138-0x0000000072A10000-0x0000000072FC1000-memory.dmp

Filesize
5.7MB

Download
memory/3484-139-0x0000000072A10000-0x0000000072FC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing