c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b

General

Target

c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe
Size

116KB
MD5

76d9bbf2da7572b56e8c22814b06e7c4
SHA1

5e6ab4262678ad1b70c5ef617cf8b31e355ee3b9
SHA256

c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b
SHA512

fef09ea9550325912ae5792d134e7320d99850c8fcd5f19b2a9500c2cbef638868addc1fea21dc0f0e60081ed8c3dd3cac20e9bd7e203ef20385dbb84bfd4316
SSDEEP

1536:/Ek5wbjXYXKXdPXk6rCL2mvqXYXKXdPXkbr:fAIaNPUaCKaqIaNPU/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1324	services.exe

Loads dropped DLL 5 IoCs

pid	Process
1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe
1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe
1324	services.exe
1324	services.exe
1324	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe
1324	services.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26
PID 1464 wrote to memory of 1324	1464	c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe	26

C:\Users\Admin\AppData\Local\Temp\c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe
"C:\Users\Admin\AppData\Local\Temp\c9cdfdafba2fc88c568931c9810514f8f45bf01854a64f241b290ddba3a9395b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\services.exe
  "C:\Users\Admin\AppData\Local\Temp\services.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
\Users\Admin\AppData\Local\Temp\services.exe

Filesize
88KB

MD5
5c384a2b88d6f036f07998530ac404f7

SHA1
108b7116a44e04f594ac5014d63fd29609062532

SHA256
b89e7fa8e5b9bd9ff5163fedbc162758c407c94d378d5b9da8476a1d2379b954

SHA512
d7d266da687416ed1233c4cc75b19685ecebfc9eba900fe9fa7ea841a02d282ac5aaa4712c025574de0639c88ce8697a996f6a00f2c08e63f0deddcde467f26a

Download Submit
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing