9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f

General

Target

9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe
Size

115KB
MD5

9ab704f141a002a06f39b56125347661
SHA1

4fb671f7eab79b451a08048fbcd406a5b11b43d9
SHA256

9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f
SHA512

472365de5f86515d1de534bcde30a6f5a1725ecdfc5b9d329e997e575d07d3823ffe1776fe1acba99dd2f85d17b8fc53839fb7bdf290628429837cc29fa74d46
SSDEEP

1536:/b6+xLX1qiIm+JoWrpDji1ccoM34TfZYXTB4jOnG1kwg6MKvqXXGqRlyAox0H1PN:uOLX1+5XJjRM34tYX3TKvqXWYyAv1GBQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
896	se.exe
1276	se.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 1276	896	se.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\se.exe	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	se.exe
1276	se.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 896	1600	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe	27
PID 1600 wrote to memory of 896	1600	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe	27
PID 1600 wrote to memory of 896	1600	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe	27
PID 1600 wrote to memory of 896	1600	9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe	27
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 896 wrote to memory of 1276	896	se.exe	28
PID 1276 wrote to memory of 1232	1276	se.exe	16
PID 1276 wrote to memory of 1232	1276	se.exe	16
PID 1276 wrote to memory of 1232	1276	se.exe	16
PID 1276 wrote to memory of 1232	1276	se.exe	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe
  "C:\Users\Admin\AppData\Local\Temp\9865e5182d626fc9129f21c80876f9a370c1f2ea88d266a86daebb30bdbaa46f.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\se.exe
    "C:\Windows\se.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\se.exe
      C:\Windows\se.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\se.exe

Filesize
83KB

MD5
d414d87f33e9511eb144348c8a96ab90

SHA1
719863b4c9b4e7f37ef5a1cd067d8b3e18aa0078

SHA256
0eb50e6b7edd1919b10869ca564fb4c0aca6f172ed095ccd09ba2bb199eca4fc

SHA512
55c35a4864e493254dca8e6ad9a7d7452092c56b9084fd1d8587f766c7b20994ff4936e4d0bdf229af1e4df6e1848c4046fcb8313f6ab84660868d67e6326cba

Download Submit
C:\Windows\se.exe

Filesize
83KB

MD5
d414d87f33e9511eb144348c8a96ab90

SHA1
719863b4c9b4e7f37ef5a1cd067d8b3e18aa0078

SHA256
0eb50e6b7edd1919b10869ca564fb4c0aca6f172ed095ccd09ba2bb199eca4fc

SHA512
55c35a4864e493254dca8e6ad9a7d7452092c56b9084fd1d8587f766c7b20994ff4936e4d0bdf229af1e4df6e1848c4046fcb8313f6ab84660868d67e6326cba

Download Submit
C:\Windows\se.exe

Filesize
83KB

MD5
d414d87f33e9511eb144348c8a96ab90

SHA1
719863b4c9b4e7f37ef5a1cd067d8b3e18aa0078

SHA256
0eb50e6b7edd1919b10869ca564fb4c0aca6f172ed095ccd09ba2bb199eca4fc

SHA512
55c35a4864e493254dca8e6ad9a7d7452092c56b9084fd1d8587f766c7b20994ff4936e4d0bdf229af1e4df6e1848c4046fcb8313f6ab84660868d67e6326cba

Download Submit
memory/1232-73-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1276-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-76-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1276-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1600-56-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing