b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21

General

Target

b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
Size

8KB
MD5

4c0ae49fd853be93441c0937379c3851
SHA1

a0eb276720d3ee94cb929f0929ab4946adf93e28
SHA256

b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21
SHA512

56b74b178f0201589deefd4ceffa849afe2b0124f4a844868b333e975cb986db3dfe044635613095e329144c7906a10f5db0cac092526150225d12d500221950
SSDEEP

192:5AnTTGuZVgUHbuzIFaNJhLkwcud2DH9VwGfctl3O:WTLVgUk8aNJawcudoD7US

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
520	b2e.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1448-55-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 520	1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	28
PID 1448 wrote to memory of 520	1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	28
PID 1448 wrote to memory of 520	1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	28
PID 1448 wrote to memory of 520	1448	b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe	28
PID 520 wrote to memory of 360	520	b2e.exe	29
PID 520 wrote to memory of 360	520	b2e.exe	29
PID 520 wrote to memory of 360	520	b2e.exe	29
PID 520 wrote to memory of 360	520	b2e.exe	29
PID 520 wrote to memory of 1996	520	b2e.exe	31
PID 520 wrote to memory of 1996	520	b2e.exe	31
PID 520 wrote to memory of 1996	520	b2e.exe	31
PID 520 wrote to memory of 1996	520	b2e.exe	31

C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe
"C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\b6c8ce8cc6bad3e7eb8eab8f1058983e5924a128c98cc5965104a4b8ca61ee21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\981C.tmp\batchfile.bat" "
    3⤵
    PID:360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\981C.tmp\batchfile.bat

Filesize
11B

MD5
accb818196efe9ed6d5f4226e46fb4e9

SHA1
653a51ffe7db555ffb1cd0b05d80fb3d85ef9223

SHA256
e229f8475c6587f6f320c41757166a7383fbbe31a50fc1226bbc19005b1e9a41

SHA512
9a0728205e406daba0d4e17d29d20e92c7218816576f3d9e50c32f84862891118fab0a3d7f556e55122e2e616f2125ed343c059abb73d29868a64c975a580da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
c2cf31e6d63bbbb0d943efa08f8471ab

SHA1
bd65d1c49755628aea62c894ee15175ac87cee0a

SHA256
3dfa6f7a06a8b1d11d5488ace6d5fdd7692bd88c31f9f557b873fe56fd170085

SHA512
e166d7abd7f863cb65739c613681c9faba4cf2497005e5572c23501701e031a480967b5f62fff0bc0b17dd4db56b3328fa8878257939759493e36afbb001a53d

Download Submit
\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
\Users\Admin\AppData\Local\Temp\95AC.tmp\b2e.exe

Filesize
8KB

MD5
14faf3dcb9ac1239c6b703a956b31fff

SHA1
760c5ce6584f5a5465847d0aa9b979f571d874a0

SHA256
777e026748bb851cda97a8d5fafc2e9d2dc7bc1a143b54dec656428a328bf980

SHA512
acbd50bfc5ba30221257cbdc4a773f0e6f9e407b67daa6ef22199f2fe68753d9a2c2c37b37569b9204aba9a99498c204f7d704f992c27f206519207ef0ac1e8a

Download Submit
memory/520-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/520-66-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1448-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1448-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing