b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99

General

Target

b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
Size

193KB
MD5

02a7a652fee96247813573bf0b2feaec
SHA1

ccf14d62043b4f8ca75a5c78f9252c6b5e7883f5
SHA256

b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99
SHA512

ce7eb448e77196fd633017d7257cde6f97ae493dc02ba3b2de1ab08c02dbc3f51f81c0a88f3fc5290157bfb75ba85f232fc461625a3af471874e4a019d9155e8
SSDEEP

3072:99yAofxov3uxWyDTBHKt3jcS8OvbS2ih6FH7sGndT5STyXftHd/y:6PZxWe9I3jcS82uB6FHJndvVd

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
696	regedit.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1680	320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe	27
PID 320 wrote to memory of 1680	320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe	27
PID 320 wrote to memory of 1680	320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe	27
PID 320 wrote to memory of 1680	320	b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe	27
PID 1680 wrote to memory of 696	1680	regedt32.exe	28
PID 1680 wrote to memory of 696	1680	regedt32.exe	28
PID 1680 wrote to memory of 696	1680	regedt32.exe	28
PID 1680 wrote to memory of 696	1680	regedt32.exe	28

C:\Users\Admin\AppData\Local\Temp\b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe
"C:\Users\Admin\AppData\Local\Temp\b383851804d8ded9ca6210a28455e6ceadb01685ebf915c6a5468ffcd1b9de99.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\regedt32.exe
  "C:\Windows\System32\regedt32.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\Documents\Iterra\T03emp03.reg"
    3⤵
    - Runs .reg file with regedit
    PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Iterra\T03emp03.reg

Filesize
217B

MD5
8de4e54296bccf7e3708e19598ae4094

SHA1
c93b011a41c8c6e54c1cd62cfaaaff8e4117566b

SHA256
71cd8b043f97f2f978cad3f6e7aa56017bbfaecd63e4ba3da080508893bec423

SHA512
9f3bff0260c17d115da06cb9ffd70a3cd42b26744faff6fd2a42dd4f4533c83c6047bd837884c738424e36a96ac4a46f4944e55a32ed75aa46f94921f602bb02

Download Submit
\Users\Admin\Documents\Iterra\zqtoaqf.dll

Filesize
42KB

MD5
2ab189d22ef09f67f6f97695153d5b8b

SHA1
6c02fa9f9b0d16cd3cbf7e7490650bfec238cdef

SHA256
823ea43243dc7e4533cf2ecde22b851ca6b6f7e730001f809416c5ab09dfd68d

SHA512
56f0a52f6621c38025159b0ebe7b0a2d3d55d68341321cc82a6910eae0173629c813272049789838dcdcf1101a839e12860cb1cc4ecae0213687c4da2d8b048a

Download Submit
memory/320-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/320-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-63-0x0000000001FC0000-0x0000000002093000-memory.dmp

Filesize
844KB

Download
memory/320-64-0x0000000001FC0000-0x0000000002093000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing