d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435

General

Target

d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
Size

481KB
MD5

c48f179e0015278c3e1c35c23918e395
SHA1

20f47f3051d785604692115c92715d6edbafa47b
SHA256

d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435
SHA512

de8dc3dac71eb06134cc21bca8effdbd915fb0fbdbb404311a180498c453e53daf02a19b0c4d6953e31932a446b9212c7f85c6794e9aff8ec56e8819539db393
SSDEEP

12288:DDNkFa5fF7RTX979xwJyTW7DsVpCSmGiHyJC+S8h:DJ+gF1tTyyTW7Cp13C0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1840	pcrypted.exe
1916	brute.exe

Loads dropped DLL 4 IoCs

pid	Process
1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	brute.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1916	brute.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 656 wrote to memory of 1616	656	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	28
PID 1616 wrote to memory of 1840	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	29
PID 1616 wrote to memory of 1840	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	29
PID 1616 wrote to memory of 1840	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	29
PID 1616 wrote to memory of 1840	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	29
PID 1616 wrote to memory of 1916	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	30
PID 1616 wrote to memory of 1916	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	30
PID 1616 wrote to memory of 1916	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	30
PID 1616 wrote to memory of 1916	1616	d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe	30

C:\Users\Admin\AppData\Local\Temp\d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
"C:\Users\Admin\AppData\Local\Temp\d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
  C:\Users\Admin\AppData\Local\Temp\d34a401fe354334c503f721eba569d9200115cf413bb0a76d336c584a13f8435.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\pcrypted.exe
    "C:\Users\Admin\AppData\Local\Temp\pcrypted.exe"
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\brute.exe
    "C:\Users\Admin\AppData\Local\Temp\brute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\brute.exe

Filesize
38KB

MD5
1db91636706ae1b96dcfd4f6da627513

SHA1
cc906db45a067ba906ee3f0bfe9037758f2b925a

SHA256
4f9d7e8a79396191bd55cf48323038a1fcc486aa1ae32b8f2cc0ed54a3452208

SHA512
f515498b48c320f7da7902f9c3c641813c028a3423f688353249de62da03df57bcbdc3189d1cbbf9257acc34574bc534a1010403c4edbe0df26835b39ac53a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrypted.exe

Filesize
73KB

MD5
bdbf620bc6b82316af1beb51d9596f9a

SHA1
58a41d2205991d093003eaa7dba6e1cf4553ac77

SHA256
100536f36c32d1392cfa18490cad9f490a2021c61c88cd65d14b2ceeed22be6c

SHA512
3b71c0023cf49b6846410598ef5f338008ed9d433031612026fa4221af1763d70e94a2e5a6c5caa60ef60ff632b602a967e2148d17682d6ab0336dd7a615d0de

Download Submit
\Users\Admin\AppData\Local\Temp\brute.exe

Filesize
38KB

MD5
1db91636706ae1b96dcfd4f6da627513

SHA1
cc906db45a067ba906ee3f0bfe9037758f2b925a

SHA256
4f9d7e8a79396191bd55cf48323038a1fcc486aa1ae32b8f2cc0ed54a3452208

SHA512
f515498b48c320f7da7902f9c3c641813c028a3423f688353249de62da03df57bcbdc3189d1cbbf9257acc34574bc534a1010403c4edbe0df26835b39ac53a6e

Download Submit
\Users\Admin\AppData\Local\Temp\brute.exe

Filesize
38KB

MD5
1db91636706ae1b96dcfd4f6da627513

SHA1
cc906db45a067ba906ee3f0bfe9037758f2b925a

SHA256
4f9d7e8a79396191bd55cf48323038a1fcc486aa1ae32b8f2cc0ed54a3452208

SHA512
f515498b48c320f7da7902f9c3c641813c028a3423f688353249de62da03df57bcbdc3189d1cbbf9257acc34574bc534a1010403c4edbe0df26835b39ac53a6e

Download Submit
\Users\Admin\AppData\Local\Temp\pcrypted.exe

Filesize
73KB

MD5
bdbf620bc6b82316af1beb51d9596f9a

SHA1
58a41d2205991d093003eaa7dba6e1cf4553ac77

SHA256
100536f36c32d1392cfa18490cad9f490a2021c61c88cd65d14b2ceeed22be6c

SHA512
3b71c0023cf49b6846410598ef5f338008ed9d433031612026fa4221af1763d70e94a2e5a6c5caa60ef60ff632b602a967e2148d17682d6ab0336dd7a615d0de

Download Submit
\Users\Admin\AppData\Local\Temp\pcrypted.exe

Filesize
73KB

MD5
bdbf620bc6b82316af1beb51d9596f9a

SHA1
58a41d2205991d093003eaa7dba6e1cf4553ac77

SHA256
100536f36c32d1392cfa18490cad9f490a2021c61c88cd65d14b2ceeed22be6c

SHA512
3b71c0023cf49b6846410598ef5f338008ed9d433031612026fa4221af1763d70e94a2e5a6c5caa60ef60ff632b602a967e2148d17682d6ab0336dd7a615d0de

Download Submit
memory/1616-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1616-54-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1616-65-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1616-64-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1616-58-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1616-56-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1616-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1840-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing