d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d

General

Target

d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
Size

151KB
MD5

44667825e4463f2eef4410a36e4f442c
SHA1

6acf2b01f4f8bd5af3837a486ee2ae7df5b3d4f0
SHA256

d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d
SHA512

952c56f36dea369179ef30a57710030534fa1ff4d26d8d6a40eccb26343418d0d1e4a19545f0693c4a99f15ba56d05bff31a75bea3ddfb590173da7f5b0215b2
SSDEEP

1536:0289yVVa3PIZ2otlrcKEFHQ10KgxQ19KKp5l5QWLHGQ84V6oDF+CuR1p35sHUndm:zn2otlrlGw1tl1lLj84V6WF+3P5dnd

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1232	regedit.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1648	912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	27
PID 912 wrote to memory of 1648	912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	27
PID 912 wrote to memory of 1648	912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	27
PID 912 wrote to memory of 1648	912	d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe	27
PID 1648 wrote to memory of 1232	1648	regedt32.exe	28
PID 1648 wrote to memory of 1232	1648	regedt32.exe	28
PID 1648 wrote to memory of 1232	1648	regedt32.exe	28
PID 1648 wrote to memory of 1232	1648	regedt32.exe	28

C:\Users\Admin\AppData\Local\Temp\d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1327799cc2518e526c3821431a0f619c8bc82e909303ff750d85b1e2a950b5d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
768fec6c0073879216669233ac46f7a4

SHA1
7280f019abc0bc93c92104268f92b4a92739a03d

SHA256
d8203a9dcb59188433dfc1387e39d661c62e589cd56dfc105860c4ed86fdab24

SHA512
9ccc573a56873febc40dec6064d171eaa5bbaa448534dba70e3609a403e4951d2a639f14cc0b968d00d64c71ab63043f10726c4d274ad7b5d66de4829711b06a

Download Submit
\Users\Admin\Documents\Iterra\ymncbff.dll

Filesize
40KB

MD5
d89da90af381ca3bb669566bc5133231

SHA1
66ab6602dd5302ab5fe5a1aaa1495d102dbc2205

SHA256
caf9f0142ec78eeba1f73b8bfbf2d6e3ed0bde79a9c57c2b291f413607882698

SHA512
52b30ccfcba93ae396f1a935db1a2969afaa0cb9131a288cf36161f7525ced08dd056e75a7cc1a66bd008a31068fcbc2c81e7c077f1b5de0a6387d947f69dc50

Download Submit
memory/912-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/912-55-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/912-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/912-63-0x0000000002220000-0x00000000022F3000-memory.dmp

Filesize
844KB

Download
memory/912-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/912-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing