895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da

General

Target

895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe
Size

183KB
MD5

2caf48c146abfc475ddd1b923088d7b0
SHA1

cf717f2ad3de869b1cc1d5f531bc47fc0a62f807
SHA256

895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da
SHA512

5cb568a8c9e1232198ae8db980641d260e059172456936e6771cb44c7048d73fad7af878789803b7add8b77c0d2f717aceab9eb8deaf65f0a0db39aacc1b2821
SSDEEP

3072:f/ampeVe/rQIf3dx3Qx0kY9Y/XeVaqB+JPKmPJZFLmBKZ2PPT38xrHqDUEqg:fTpeVGrbtx3a0r9gWUfJPmBWxrfg

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1112	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2008	1.exe

Deletes itself 1 IoCs

pid	Process
1396	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe
1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1972	taskkill.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2008	1.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	taskkill.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2008	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	27
PID 1200 wrote to memory of 2008	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	27
PID 1200 wrote to memory of 2008	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	27
PID 1200 wrote to memory of 2008	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	27
PID 2008 wrote to memory of 1972	2008	1.exe	28
PID 2008 wrote to memory of 1972	2008	1.exe	28
PID 2008 wrote to memory of 1972	2008	1.exe	28
PID 2008 wrote to memory of 1972	2008	1.exe	28
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 2008 wrote to memory of 1112	2008	1.exe	30
PID 1200 wrote to memory of 1396	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	32
PID 1200 wrote to memory of 1396	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	32
PID 1200 wrote to memory of 1396	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	32
PID 1200 wrote to memory of 1396	1200	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	32

C:\Users\Admin\AppData\Local\Temp\895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe
"C:\Users\Admin\AppData\Local\Temp\895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KsafeTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Remoete.dll" WWWW
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Remoete.dll

Filesize
11.1MB

MD5
78cc7924c0e7dd5148abb1b4123c9f42

SHA1
819a8a50b82f7211edefebe8f6ae5ffabf00cccf

SHA256
54f684028c2b154aaf71b78388476f1e8d7c81b2434d035d6ccc4515ce565dd4

SHA512
1b5f277901ac5f71cceb6a2eaced9c2214cd42c19df28ae6b269e0e24a5e6aad12f9402e462e124b87bc93fe210545635235c1b81ee5e47f1f26da2fcacc1183

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
c83f8588bf4732209062125d5e09d03b

SHA1
c90614857e9d672a95559723801bd8b3354d8ca4

SHA256
232baff29e9dc8662e551558bc01e3e305b9392f773929a5f74c96825bb075cc

SHA512
12d557e310fe66a8078eb503c83e482949059f8cde96d4280e76ac97177e6ad4962f0072d860e3272f88b1c58e65e2f5833f897d4ccf6917ba73b15f19c401b7

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
memory/1200-60-0x0000000002000000-0x000000000203C000-memory.dmp

Filesize
240KB

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-58-0x0000000002000000-0x000000000203C000-memory.dmp

Filesize
240KB

Download
memory/2008-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing