ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7

General

Target

ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
Size

126KB
MD5

91e5bf64c9c8c4332cf188efb7de80d0
SHA1

fb8562f2a8d84b6e0c411c381fe64383f6a7e475
SHA256

ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7
SHA512

0749c89d0cfe91f6c7c474aed05f16b7f41cbfffda4e5f3408c490e11d9c4da741a458b8d91f95f574c252cbeb502ba8d833d0731e59ab744aacfb4001314895
SSDEEP

3072:8dwEcppl69FPQpNPQ6//sdFLvQeiN32++6xU+fh370k3hdAf:imppl69Q//sGF+Kp170k3hY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
480	r.exe
1512	r.exe7099543na.exe

Loads dropped DLL 3 IoCs

pid	Process
904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
480	r.exe
480	r.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll	r.exe7099543na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.tlb	r.exe7099543na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.move.tlb	r.exe7099543na.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityid.dll.right.tlb	r.exe7099543na.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
1512	r.exe7099543na.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\win	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File created	C:\Program Files (x86)\r.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File created	C:\Program Files (x86)\r.exe7099543na.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
File opened for modification	C:\Program Files (x86)\r.exe7099543na.exe	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
1512	r.exe7099543na.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 480	904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	28
PID 904 wrote to memory of 480	904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	28
PID 904 wrote to memory of 480	904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	28
PID 904 wrote to memory of 480	904	ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe	28
PID 480 wrote to memory of 1512	480	r.exe	30
PID 480 wrote to memory of 1512	480	r.exe	30
PID 480 wrote to memory of 1512	480	r.exe	30
PID 480 wrote to memory of 1512	480	r.exe	30

C:\Users\Admin\AppData\Local\Temp\ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe
"C:\Users\Admin\AppData\Local\Temp\ab6a767e1c52b69ed14102dc664f7496322796add2b9dacbb3ea84045a2934a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files (x86)\r.exe
  cmd /c "C:\Program Files (x86)\r.exe7099543na.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Program Files (x86)\r.exe7099543na.exe
    "C:\Program Files (x86)\r.exe7099543na.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\r.exe

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
C:\Program Files (x86)\r.exe7099543na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
C:\Program Files (x86)\r.exe7099543na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
\Program Files (x86)\r.exe

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
\Program Files (x86)\r.exe7099543na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
\Program Files (x86)\r.exe7099543na.exe

Filesize
114KB

MD5
cec0558edd55364d25e7a5f690352776

SHA1
185e0704fecd0f96467aff3b5cb7db5c32895a4c

SHA256
537c6aeff3e5fefcd1b55920b6662261a579ea753540193295c872454760ad3a

SHA512
1091286fada69f5ea29adada4751f9530bbd9636c09e77b8f66d81910ff0350be3e450487b1867e8c2b66bbbfffeec9f56ee764162cfb9571c3051571977a7f8

Download Submit
memory/480-65-0x0000000000100000-0x000000000011E000-memory.dmp

Filesize
120KB

Download
memory/904-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/904-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1512-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing