3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09

General

Target

3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
Size

1000KB
MD5

439dfb1848c5a06c0d88832381ed6bf0
SHA1

bf1cfdbf53f1c3ac5c01ad6ea65ec095fef198be
SHA256

3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09
SHA512

5a31bed7753807fe61ede883a8fadaef2782581d917421ebacebc56b35dc834a39ede26161617cd82ddc7b467de45ad34cd7acf6e1ebe125d0ca9369dc3f97f5
SSDEEP

24576:W2O/Gl+vyZZ9GTbowtu/w9+uokjG/ZyNB5+Ct21X1p5p21IpGF:+yZnGTbosu/MozjCt21luIpQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2024	939393_.exe
1908	939393_.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelp.exe	939393_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelp.exe	939393_.exe

Loads dropped DLL 5 IoCs

pid	Process
1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
2024	939393_.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c000000012333-55.dat	autoit_exe
behavioral1/files/0x000c000000012333-56.dat	autoit_exe
behavioral1/files/0x000c000000012333-57.dat	autoit_exe
behavioral1/files/0x000c000000012333-58.dat	autoit_exe
behavioral1/files/0x000c000000012333-60.dat	autoit_exe
behavioral1/files/0x000c000000012333-62.dat	autoit_exe
behavioral1/files/0x000c000000012333-63.dat	autoit_exe
behavioral1/files/0x000c000000012333-75.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1908	2024	939393_.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	939393_.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1908	939393_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	939393_.exe
Token: SeDebugPrivilege	1908	939393_.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2024	939393_.exe
2024	939393_.exe
2024	939393_.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2024	939393_.exe
2024	939393_.exe
2024	939393_.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 1176 wrote to memory of 2024	1176	3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe	28
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 2024 wrote to memory of 1908	2024	939393_.exe	29
PID 1908 wrote to memory of 1988	1908	939393_.exe	30
PID 1908 wrote to memory of 1988	1908	939393_.exe	30
PID 1908 wrote to memory of 1988	1908	939393_.exe	30
PID 1908 wrote to memory of 1988	1908	939393_.exe	30

C:\Users\Admin\AppData\Local\Temp\3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe
"C:\Users\Admin\AppData\Local\Temp\3ccb32deb2e0f0c8426041bec7e2baf86f7e87cfb770f0572535f4d28fd4bf09.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\939393_.exe
  "C:\Users\Admin\AppData\Local\Temp\939393_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\939393_.exe
    "C:\Users\Admin\AppData\Local\Temp\939393_.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
\Users\Admin\AppData\Local\Temp\939393_.exe

Filesize
1.0MB

MD5
4045f06e04e9ff5b61f972b686bcd053

SHA1
1a3b07afd6921fbf6e3cada9633b9117ef787fbe

SHA256
71d0488c7c53908429417da06d40ff4b72af7a050e35c6c9e284252a01fa6634

SHA512
17ae36f0f5a93bbec80a1dd7325503dab719b90482a8b129f0bd7e36e3042017060536be2acb2c0212d0628bf80e5cb7fd7cb547b754a4a51039e34d517a03dc

Download Submit
memory/1176-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1908-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1908-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing