81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc

General

Target

81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe
Size

8KB
MD5

bf2b9ca48f7f1131e097518d3eaeb30b
SHA1

6dc8d5b782e5ad42c043890f67daa0ddf82e53d1
SHA256

81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc
SHA512

ccadef1965c2be41d5dcd4142866de99d3259d71c94d30ca388553312ed76bc57ca5ce28c4c5fbf122eb7619392f10daf279abdda7534b7c77da7e07c0454543
SSDEEP

192:k5THnHAckb3hTfm9/3IBxxv/x9BRiN43Y6+QyDpjap:k9pkti3Qxlp9BRxo6rydjY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1140	hostdll.exe

Deletes itself 1 IoCs

pid	Process
1476	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
996	WScript.exe
996	WScript.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hostdll.exe	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe
File created	C:\Windows\SysWOW64\ds.vbs	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe
File created	C:\Windows\SysWOW64\hostdll.exe	hostdll.exe
File created	C:\Windows\SysWOW64\hostdll.exe	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe
Token: SeIncBasePriorityPrivilege	1140	hostdll.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 996	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	27
PID 1844 wrote to memory of 996	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	27
PID 1844 wrote to memory of 996	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	27
PID 1844 wrote to memory of 996	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	27
PID 1844 wrote to memory of 1476	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	28
PID 1844 wrote to memory of 1476	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	28
PID 1844 wrote to memory of 1476	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	28
PID 1844 wrote to memory of 1476	1844	81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe	28
PID 996 wrote to memory of 1140	996	WScript.exe	29
PID 996 wrote to memory of 1140	996	WScript.exe	29
PID 996 wrote to memory of 1140	996	WScript.exe	29
PID 996 wrote to memory of 1140	996	WScript.exe	29
PID 1140 wrote to memory of 2008	1140	hostdll.exe	30
PID 1140 wrote to memory of 2008	1140	hostdll.exe	30
PID 1140 wrote to memory of 2008	1140	hostdll.exe	30
PID 1140 wrote to memory of 2008	1140	hostdll.exe	30

C:\Users\Admin\AppData\Local\Temp\81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe
"C:\Users\Admin\AppData\Local\Temp\81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\system32\ds.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\hostdll.exe
    "C:\Windows\system32\hostdll.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\hostdll.exe > nul
      4⤵
      PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\81A2F9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ds.vbs

Filesize
89B

MD5
0793cd9c3c8423cb264c3ab71855dd85

SHA1
04bf975a7ed0cb930eeda97cbc9d726bd28ef173

SHA256
6448efb2dbde0afb4f9b399a19d7a4c1765c1f7663fed598fe6c11562a91642c

SHA512
8ddb9babcd330c95b11cb46cca7362e78814efa8900132746a4b59bc4a64e523cdf92021fcbfce2293a531150b2c104892966fc2bffafbee102471ac7596636c

Download Submit
C:\Windows\SysWOW64\hostdll.exe

Filesize
8KB

MD5
bf2b9ca48f7f1131e097518d3eaeb30b

SHA1
6dc8d5b782e5ad42c043890f67daa0ddf82e53d1

SHA256
81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc

SHA512
ccadef1965c2be41d5dcd4142866de99d3259d71c94d30ca388553312ed76bc57ca5ce28c4c5fbf122eb7619392f10daf279abdda7534b7c77da7e07c0454543

Download Submit
C:\Windows\SysWOW64\hostdll.exe

Filesize
8KB

MD5
bf2b9ca48f7f1131e097518d3eaeb30b

SHA1
6dc8d5b782e5ad42c043890f67daa0ddf82e53d1

SHA256
81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc

SHA512
ccadef1965c2be41d5dcd4142866de99d3259d71c94d30ca388553312ed76bc57ca5ce28c4c5fbf122eb7619392f10daf279abdda7534b7c77da7e07c0454543

Download Submit
\Windows\SysWOW64\hostdll.exe

Filesize
8KB

MD5
bf2b9ca48f7f1131e097518d3eaeb30b

SHA1
6dc8d5b782e5ad42c043890f67daa0ddf82e53d1

SHA256
81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc

SHA512
ccadef1965c2be41d5dcd4142866de99d3259d71c94d30ca388553312ed76bc57ca5ce28c4c5fbf122eb7619392f10daf279abdda7534b7c77da7e07c0454543

Download Submit
\Windows\SysWOW64\hostdll.exe

Filesize
8KB

MD5
bf2b9ca48f7f1131e097518d3eaeb30b

SHA1
6dc8d5b782e5ad42c043890f67daa0ddf82e53d1

SHA256
81a2f9c846f272da8a483da16182b97a4cf2e08260dd01893ce03b62eea253cc

SHA512
ccadef1965c2be41d5dcd4142866de99d3259d71c94d30ca388553312ed76bc57ca5ce28c4c5fbf122eb7619392f10daf279abdda7534b7c77da7e07c0454543

Download Submit
memory/1844-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing