6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477

General

Target

6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
Size

2.5MB
MD5

0ae7659bd7a8800b6ad15a3a81fcf9dd
SHA1

293f2f7646fbb5e185875801fc0e9b752605e6e3
SHA256

6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477
SHA512

b89d97aef896ca484bf4f97921fc33aee6ddc3ed8965e345e6f89aabb935a9825f93cb5c1315d86a799d4c4bfd95d8a97aef22a2c7ed40361477e6eeb5fccaea
SSDEEP

49152:R/IX5nW5F74ptESnWBDSct9zNaPEcGfXTUEDjasY6DwOBfrnvV7UeWtdZ:R/AaF0dID+ifXTU0dYiwOBpIeWJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Loads dropped DLL 4 IoCs

pid	Process
1928	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1112	1928	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe	26
PID 1928 wrote to memory of 1112	1928	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe	26
PID 1928 wrote to memory of 1112	1928	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe	26
PID 1928 wrote to memory of 1112	1928	6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe	26

C:\Users\Admin\AppData\Local\Temp\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
"C:\Users\Admin\AppData\Local\Temp\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe
  "C:\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Filesize
2.4MB

MD5
c3e10bf0d65fdf68b4764697d4d6b33d

SHA1
f80947121ac59a173cbd1683a954b1f50ec37f74

SHA256
7b3559ee4bba5f48e2f8ccd18c395c4f941971ee8f425554f0a8729feaf9ad6a

SHA512
96e5b6b0c6dfe09bff91b9b0b00b8ac03ccf712c56b7fe7ca4ff5ce6bc7a0f5d972e7302be9e5f0b76417408bd61b421dc8fa9ea2bddcefb7547cc070f876653

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Filesize
2.4MB

MD5
c3e10bf0d65fdf68b4764697d4d6b33d

SHA1
f80947121ac59a173cbd1683a954b1f50ec37f74

SHA256
7b3559ee4bba5f48e2f8ccd18c395c4f941971ee8f425554f0a8729feaf9ad6a

SHA512
96e5b6b0c6dfe09bff91b9b0b00b8ac03ccf712c56b7fe7ca4ff5ce6bc7a0f5d972e7302be9e5f0b76417408bd61b421dc8fa9ea2bddcefb7547cc070f876653

Download Submit
\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\6e03528ce894656ff07e06cf3c0ee280fcd1a59b5f543f07cc2d23309554a477.exe

Filesize
2.4MB

MD5
c3e10bf0d65fdf68b4764697d4d6b33d

SHA1
f80947121ac59a173cbd1683a954b1f50ec37f74

SHA256
7b3559ee4bba5f48e2f8ccd18c395c4f941971ee8f425554f0a8729feaf9ad6a

SHA512
96e5b6b0c6dfe09bff91b9b0b00b8ac03ccf712c56b7fe7ca4ff5ce6bc7a0f5d972e7302be9e5f0b76417408bd61b421dc8fa9ea2bddcefb7547cc070f876653

Download Submit
\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\hnb5hob4.lnt\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/1112-73-0x0000000075C10000-0x0000000075C57000-memory.dmp

Filesize
284KB

Download
memory/1112-70-0x00000000762B0000-0x0000000076EFA000-memory.dmp

Filesize
12.3MB

Download
memory/1112-63-0x0000000000DF0000-0x0000000000EF8000-memory.dmp

Filesize
1.0MB

Download
memory/1112-65-0x0000000077260000-0x000000007730C000-memory.dmp

Filesize
688KB

Download
memory/1112-66-0x0000000075C10000-0x0000000075C57000-memory.dmp

Filesize
284KB

Download
memory/1112-67-0x0000000076250000-0x00000000762A7000-memory.dmp

Filesize
348KB

Download
memory/1112-69-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-68-0x0000000075330000-0x0000000075339000-memory.dmp

Filesize
36KB

Download
memory/1112-71-0x0000000000DF0000-0x0000000000EF8000-memory.dmp

Filesize
1.0MB

Download
memory/1112-72-0x00000000006E0000-0x000000000071D000-memory.dmp

Filesize
244KB

Download
memory/1112-89-0x000000005E3A0000-0x000000005E42D000-memory.dmp

Filesize
564KB

Download
memory/1112-74-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-87-0x0000000075EA0000-0x0000000075F2F000-memory.dmp

Filesize
572KB

Download
memory/1112-62-0x00000000753C0000-0x000000007540A000-memory.dmp

Filesize
296KB

Download
memory/1112-77-0x0000000075A20000-0x0000000075B7C000-memory.dmp

Filesize
1.4MB

Download
memory/1112-78-0x0000000074A50000-0x0000000074AAB000-memory.dmp

Filesize
364KB

Download
memory/1112-79-0x0000000000DF0000-0x0000000000EF8000-memory.dmp

Filesize
1.0MB

Download
memory/1112-80-0x0000000075C10000-0x0000000075C57000-memory.dmp

Filesize
284KB

Download
memory/1112-81-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-82-0x0000000076030000-0x0000000076065000-memory.dmp

Filesize
212KB

Download
memory/1112-83-0x00000000756E0000-0x00000000757FD000-memory.dmp

Filesize
1.1MB

Download
memory/1112-84-0x0000000064E70000-0x0000000065142000-memory.dmp

Filesize
2.8MB

Download
memory/1928-75-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-56-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x0000000074B10000-0x00000000750BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing