b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45

General

Target

b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe
Size

1.0MB
MD5

2e512c94a3d0b90ba9fd5e82073c99ae
SHA1

3f908389a9b65ad0c004d6dd3564fffde6025068
SHA256

b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45
SHA512

dc227bb4bd94c37fc1c116ebdc1ef579c35deb390abc3b1de049da55672249fdfc78d1439eaa18aa06f04c6abb14f786d971eb2a9211d0e68300493588364e5c
SSDEEP

24576:zvfOydJf45O2zCbWrKTY4H7W8ajvdBZNZ33HTVjWN5uHn69lZ8:TGMJf4UHqrKMCfajvXZNZ33BWHuH69li

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1428	StpFB31_TMP.EXE
1352	is-S1D2S.tmp

Loads dropped DLL 4 IoCs

pid	Process
1044	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe
1428	StpFB31_TMP.EXE
1352	is-S1D2S.tmp
1352	is-S1D2S.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1428	1044	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	27
PID 1044 wrote to memory of 1428	1044	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	27
PID 1044 wrote to memory of 1428	1044	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	27
PID 1044 wrote to memory of 1428	1044	b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe	27
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28
PID 1428 wrote to memory of 1352	1428	StpFB31_TMP.EXE	28

C:\Users\Admin\AppData\Local\Temp\b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe
"C:\Users\Admin\AppData\Local\Temp\b6b72f43aa0cb8086334c1b5cffdc8f54d02c3d9310eb1bfa967b106cb2fbb45.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE
  "C:\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\is-CICUE.tmp\is-S1D2S.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CICUE.tmp\is-S1D2S.tmp" /SL4 $70120 "C:\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE" 794944 51200
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE

Filesize
1020KB

MD5
5a0fe4a042503d77506ad34e23f4493c

SHA1
4f83b622705c9db0825b5cb5008d573611120125

SHA256
9c3f6ddb5678154b501ae05e5509c528d7db63b073f60d5080e619d26a0c5bcd

SHA512
3485faf6fe26ffbfc0c4789a41ab851bdc6e92dfc43472a17a2f88e1a41c9dbd043774dfc688fbdf50038d7d95e65feb556879441037d894a7ce1aab077ca382

Download Submit
C:\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE

Filesize
1020KB

MD5
5a0fe4a042503d77506ad34e23f4493c

SHA1
4f83b622705c9db0825b5cb5008d573611120125

SHA256
9c3f6ddb5678154b501ae05e5509c528d7db63b073f60d5080e619d26a0c5bcd

SHA512
3485faf6fe26ffbfc0c4789a41ab851bdc6e92dfc43472a17a2f88e1a41c9dbd043774dfc688fbdf50038d7d95e65feb556879441037d894a7ce1aab077ca382

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CICUE.tmp\is-S1D2S.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CICUE.tmp\is-S1D2S.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
\Users\Admin\AppData\Local\Temp\StpFB31_TMP.EXE

Filesize
1020KB

MD5
5a0fe4a042503d77506ad34e23f4493c

SHA1
4f83b622705c9db0825b5cb5008d573611120125

SHA256
9c3f6ddb5678154b501ae05e5509c528d7db63b073f60d5080e619d26a0c5bcd

SHA512
3485faf6fe26ffbfc0c4789a41ab851bdc6e92dfc43472a17a2f88e1a41c9dbd043774dfc688fbdf50038d7d95e65feb556879441037d894a7ce1aab077ca382

Download Submit
\Users\Admin\AppData\Local\Temp\is-84MDD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-84MDD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CICUE.tmp\is-S1D2S.tmp

Filesize
659KB

MD5
8d945b4b32cdbdae0b9e320e6870607f

SHA1
bc109a8a04450c4833449d56b5ad77d1e37fa063

SHA256
70a88b34f9a87419c8df27f097262e1bea0e7db7a8c27aa2376e311dc65de1b6

SHA512
7d59cbc9690c951f9e96e1af257f334affc38559f4d4a77ee4703ebd5a02a4424afa8fb1447775f5a02ab60ba3f49e84906bb8e2b3d44aabdfbdfb8938f0ef29

Download Submit
memory/1428-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1428-57-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1428-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing