c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5

General

Target

c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe
Size

137KB
MD5

12c807fa6c04c98dc8d3787801654731
SHA1

c0c806246277dfd7fd8b1531a0c826ce22b2d96f
SHA256

c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5
SHA512

9f9df6baae822bf867ac527220ea499ee887b008dde8257ee2310c6fbd0b7c6e33045ab2cdb88ff75abf7f6063f3190e56b55b721667841d946bc85118ee9016
SSDEEP

768:Jc588yB1RnUHXYuyBpVRFOrqpp1l1jKdfeRw7C9pWQNScYFWobO93JupQesBBk:Js4B1RpVRwrcl8dD5MnYTOFJxB

Score

6^/10

Malware Config

Signatures

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 944	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	28
PID 2004 wrote to memory of 944	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	28
PID 2004 wrote to memory of 944	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	28
PID 2004 wrote to memory of 944	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	28
PID 2004 wrote to memory of 432	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	30
PID 2004 wrote to memory of 432	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	30
PID 2004 wrote to memory of 432	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	30
PID 2004 wrote to memory of 432	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	30
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 2004 wrote to memory of 1312	2004	c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe	32
PID 944 wrote to memory of 1520	944	net.exe	34
PID 944 wrote to memory of 1520	944	net.exe	34
PID 944 wrote to memory of 1520	944	net.exe	34
PID 944 wrote to memory of 1520	944	net.exe	34
PID 432 wrote to memory of 688	432	net.exe	33
PID 432 wrote to memory of 688	432	net.exe	33
PID 432 wrote to memory of 688	432	net.exe	33
PID 432 wrote to memory of 688	432	net.exe	33

C:\Users\Admin\AppData\Local\Temp\c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe
"C:\Users\Admin\AppData\Local\Temp\c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:1520
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:688
- C:\Users\Admin\AppData\Local\Temp\c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe
  "C:\Users\Admin\AppData\Local\Temp\c7c198b18ede68171f8eca6ca2087ff41b57912e16a71ab8dec23dbf67ea50c5.exe"
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1312-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1312-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1312-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1312-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2004-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2004-71-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/2004-55-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing