f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7

General

Target

f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
Size

55KB
MD5

d2eb4797765c7c23d929b3e366dd14e4
SHA1

dd98e36855a1d4892a7504e4f9da4b5f1437d5fe
SHA256

f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7
SHA512

cda98b8b71a3669c3b6ee60e5023285b7f408263834a9c269194ebaddc1b66d90ef43aac550584975035f0d09faf7183b2613d4500184dda0af218311dd4cc48
SSDEEP

768:d/OwWsekp55agHcMnGPrLmIdPu0ZVQ9u9qI2AbS5nzPzVantS8YzXBR:MwWm55ag8eGPrLmKW0jh9qvKqLZYUFrn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1888	pot2.exe
1448	pot1.exe

Loads dropped DLL 4 IoCs

pid	Process
1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1888	pot2.exe
1448	pot1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	pot1.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1888	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	28
PID 1280 wrote to memory of 1888	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	28
PID 1280 wrote to memory of 1888	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	28
PID 1280 wrote to memory of 1888	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	28
PID 1280 wrote to memory of 1448	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	29
PID 1280 wrote to memory of 1448	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	29
PID 1280 wrote to memory of 1448	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	29
PID 1280 wrote to memory of 1448	1280	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	29
PID 1888 wrote to memory of 1372	1888	pot2.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1448 wrote to memory of 1372	1448	pot1.exe	15
PID 1888 wrote to memory of 1372	1888	pot2.exe	15
PID 1888 wrote to memory of 1372	1888	pot2.exe	15
PID 1888 wrote to memory of 1372	1888	pot2.exe	15
PID 1888 wrote to memory of 1372	1888	pot2.exe	15
PID 1888 wrote to memory of 1372	1888	pot2.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Users\Admin\AppData\Local\Temp\f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
  "C:\Users\Admin\AppData\Local\Temp\f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\pot2.exe
    "C:\Users\Admin\AppData\Local\Temp\pot2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\pot1.exe
    "C:\Users\Admin\AppData\Local\Temp\pot1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pot1.exe

Filesize
7KB

MD5
44d227f1ef61878bce63ad2e57760587

SHA1
d40166ac2a5586113714e673ce06aae54ba2c23e

SHA256
9b37ecfb8dd359ebf768d28552468a27f29feaeb7c329ea860421831b847f259

SHA512
584bae3155295dede7f00ee1c9b7480742de3e8bfc94d148133e0b6852635d7f40992c72d5556e2c3a6ec4236199edc639dfa6f3d86ed284dd1aab619eb241c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
\Users\Admin\AppData\Local\Temp\pot1.exe

Filesize
7KB

MD5
44d227f1ef61878bce63ad2e57760587

SHA1
d40166ac2a5586113714e673ce06aae54ba2c23e

SHA256
9b37ecfb8dd359ebf768d28552468a27f29feaeb7c329ea860421831b847f259

SHA512
584bae3155295dede7f00ee1c9b7480742de3e8bfc94d148133e0b6852635d7f40992c72d5556e2c3a6ec4236199edc639dfa6f3d86ed284dd1aab619eb241c8

Download Submit
\Users\Admin\AppData\Local\Temp\pot1.exe

Filesize
7KB

MD5
44d227f1ef61878bce63ad2e57760587

SHA1
d40166ac2a5586113714e673ce06aae54ba2c23e

SHA256
9b37ecfb8dd359ebf768d28552468a27f29feaeb7c329ea860421831b847f259

SHA512
584bae3155295dede7f00ee1c9b7480742de3e8bfc94d148133e0b6852635d7f40992c72d5556e2c3a6ec4236199edc639dfa6f3d86ed284dd1aab619eb241c8

Download Submit
\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1372-65-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1372-69-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1888-67-0x0000000000400000-0x000000000040AE30-memory.dmp

Filesize
43KB

Download
memory/1888-68-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing