bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1

General

Target

bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe
Size

56KB
MD5

16fd32cc1bd0efeafab4e7fe5da384fc
SHA1

a85c1dd27db2a180ab72dc807403bf114b6afda0
SHA256

bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1
SHA512

f5cb7b9d03d19b4efedd546a038170ac56180e5c27ddbf4e6b6e51dbeafad0d84a5b4a8573dab15c6b82565f76560a5e450d188cbd0502f98803d115f87a7377
SSDEEP

768:/EFi+h7TzTBziifTeiZSVWihwEknh0L7OTLeNfQfNH2SzF:/yZ/nEkh8OTKNnS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1568	server (2).exe

Loads dropped DLL 4 IoCs

pid	Process
1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe
1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe
1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe
1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	server (2).exe
1568	server (2).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1568	1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe	27
PID 1956 wrote to memory of 1568	1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe	27
PID 1956 wrote to memory of 1568	1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe	27
PID 1956 wrote to memory of 1568	1956	bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe	27
PID 1568 wrote to memory of 1296	1568	server (2).exe	15
PID 1568 wrote to memory of 1296	1568	server (2).exe	15
PID 1568 wrote to memory of 1296	1568	server (2).exe	15
PID 1568 wrote to memory of 1296	1568	server (2).exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296
- C:\Users\Admin\AppData\Local\Temp\bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe
  "C:\Users\Admin\AppData\Local\Temp\bf7b73b029c88b1d43c27ad7818edbc6fc3ce64c9ebe10cfa6a8152ac7a1dff1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\server (2).exe
    "C:\Users\Admin\AppData\Local\Temp\server (2).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
\Users\Admin\AppData\Local\Temp\server (2).exe

Filesize
31KB

MD5
d04b0ec32b1e9b6ed135be939a7ec99d

SHA1
55b87fc895ab00c74143746b682ddc1ae4038db2

SHA256
b920703a28ebc05a15f777357df83c0b8af15acff9f8c04c953ba2c66108ca0b

SHA512
8476e72ed6a262f3c651a52107e591e9f92046b883c4b4e262f663f1a6faefcb39319027661eade921fc24f9ec8ab003e2eebdcff2b8e522ad80b4e7707dcd99

Download Submit
memory/1296-70-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1568-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1568-73-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1568-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1956-56-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-63-0x0000000004680000-0x0000000004689000-memory.dmp

Filesize
36KB

Download
memory/1956-64-0x0000000004680000-0x0000000004689000-memory.dmp

Filesize
36KB

Download
memory/1956-65-0x00000000046A0000-0x00000000046A9000-memory.dmp

Filesize
36KB

Download
memory/1956-66-0x00000000046A0000-0x00000000046A9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing