36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f

General

Target

36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Size

516KB
MD5

3fc8aef51b7d77fac24f4d42e6e5ea75
SHA1

9285c3b941d89ef46436cecdce4af6037ce1bbca
SHA256

36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f
SHA512

ddc538b05db6ae712fd4702f9d58528cacda55de1d9113b82eaf7453a66b40434a5595a37d24390b1366ba7fafa06adb5cef44cac103e641c5f1626ce3f607e6
SSDEEP

12288:/LvTwCXi8lwtNCFY5hH1Ygm/Ll4tl+eIO9CVRiMi7:/khOgyl43AACVRRi7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe

C:\Users\Admin\AppData\Local\Temp\36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe
"C:\Users\Admin\AppData\Local\Temp\36ff5501778374817c6eee51966e4b4da4845db57e2fe58c745d954e7fb3f36f.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1216-55-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/1216-56-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing