aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40

General

Target

aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe
Size

148KB
MD5

0fcf5083d94322f9a6ad607ae36fa13a
SHA1

80edbfb3b227be63af9672da522d65a31efb98b9
SHA256

aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40
SHA512

d37f886ab546329d49b93e57ccb671d2c50f53236d8722d10746db34fa69e978e97ac8acebd4b9f37e5dbc0d47c38b6adedbca2047160ae23f2fd81dfb876d3e
SSDEEP

3072:HKbtYscOP7BR/Xq165VzFiIlMUojqhPVBvntPW:8HFXS165VLMU6qhTvntPW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	52H52NMN5Mj8N55.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
900	cmd.exe
900	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 900	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	27
PID 2032 wrote to memory of 900	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	27
PID 2032 wrote to memory of 900	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	27
PID 2032 wrote to memory of 900	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	27
PID 2032 wrote to memory of 1160	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	29
PID 2032 wrote to memory of 1160	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	29
PID 2032 wrote to memory of 1160	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	29
PID 2032 wrote to memory of 1160	2032	aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe	29
PID 900 wrote to memory of 1352	900	cmd.exe	31
PID 900 wrote to memory of 1352	900	cmd.exe	31
PID 900 wrote to memory of 1352	900	cmd.exe	31
PID 900 wrote to memory of 1352	900	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe
"C:\Users\Admin\AppData\Local\Temp\aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe
    "C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe"
    3⤵
    - Executes dropped EXE
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe.bat" "
  2⤵
  - Deletes itself
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe

Filesize
111KB

MD5
a7d4b6429beed3f6d691b5c3074c3a64

SHA1
55f619d163d28c1b3ffbc1297f79e8a167d5e5dc

SHA256
f8f01e0165a0604a8bf3306c40b402f507c0d12a97bc3e2a0e0b8094e3a48abc

SHA512
3871f2906ab980f7a4fee8578cefa590b88c820bb380b8b9e8c5261bc28936b229616d0dc4660f0dbcf0f0baaafc9f4a0f5c660b8517c444d5195494cd4cf5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe

Filesize
111KB

MD5
a7d4b6429beed3f6d691b5c3074c3a64

SHA1
55f619d163d28c1b3ffbc1297f79e8a167d5e5dc

SHA256
f8f01e0165a0604a8bf3306c40b402f507c0d12a97bc3e2a0e0b8094e3a48abc

SHA512
3871f2906ab980f7a4fee8578cefa590b88c820bb380b8b9e8c5261bc28936b229616d0dc4660f0dbcf0f0baaafc9f4a0f5c660b8517c444d5195494cd4cf5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe.bat

Filesize
207B

MD5
cb29196db2abb5fbe4208706e9c72237

SHA1
b2de57f8fe7f75a15fdb724c18d847cfbce254a7

SHA256
aba225413c99c6992fa71df669d6a9672ecd8e8dda9a92e6397fae6434682b9f

SHA512
c82e7c91a2e382cdd02ae1f9a80518d7712d9b4621638c4a68704a2c40ebd03a5f4559bbb42b3d5f410e8542c7e50caa860c403974ddaf41b4c9b1f970d36b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa705ca7ddc15c1463faa9e58708ecc5cda6fbde1736e655f0d4eb304f8d5b40.exe.bat

Filesize
525B

MD5
c6b4786e504f037e84dc14b2fbd19894

SHA1
ca1002ed98c5059d6dd5702ed66f1d9802c9d19a

SHA256
583ab8e2f8d8a795684f51254bb9dfda26cacd53d54f911dd447c4ee293d3122

SHA512
2af876a2ed707fad1c825b3800ae8a8a907135821062466fada1dbb534e0adc583644a4b6c8da2bca8083c7f8e49189b5fdc5e2e8dc08fb8f2c53fec45ec031b

Download Submit
\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe

Filesize
111KB

MD5
a7d4b6429beed3f6d691b5c3074c3a64

SHA1
55f619d163d28c1b3ffbc1297f79e8a167d5e5dc

SHA256
f8f01e0165a0604a8bf3306c40b402f507c0d12a97bc3e2a0e0b8094e3a48abc

SHA512
3871f2906ab980f7a4fee8578cefa590b88c820bb380b8b9e8c5261bc28936b229616d0dc4660f0dbcf0f0baaafc9f4a0f5c660b8517c444d5195494cd4cf5ab

Download Submit
\Users\Admin\AppData\Local\Temp\52H52NMN5Mj8N55.exe

Filesize
111KB

MD5
a7d4b6429beed3f6d691b5c3074c3a64

SHA1
55f619d163d28c1b3ffbc1297f79e8a167d5e5dc

SHA256
f8f01e0165a0604a8bf3306c40b402f507c0d12a97bc3e2a0e0b8094e3a48abc

SHA512
3871f2906ab980f7a4fee8578cefa590b88c820bb380b8b9e8c5261bc28936b229616d0dc4660f0dbcf0f0baaafc9f4a0f5c660b8517c444d5195494cd4cf5ab

Download Submit
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing