eeb800f752648769bd2af8b1e03aa8be27d4458efe9e0450e8a24e860425b0e7

Reason

Machine shutdown

General

Target

352ac725d88163238910d2a66480ba6c.exe
Size

171KB
MD5

352ac725d88163238910d2a66480ba6c
SHA1

568b70f867ed54a0f4b364191f61905779def271
SHA256

eeb800f752648769bd2af8b1e03aa8be27d4458efe9e0450e8a24e860425b0e7
SHA512

44c2e7f03f5f14284e487efc1fbce5471232cd4b2160b8303302124e1e39743c0587284d493d4e6492312829849f5b3ca129da30eb262c32f6df665a7b57441b
SSDEEP

3072:3fY/TU9fE9PEtudb6l09deXWwHbLuo2vKFAJ24iTiU4Vqf3Vb83GuRB7SC3LM7MT:vYa6r6WneGy4SeJ2fhtJ83l3rnxd5iEb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

fhmddjes.exefhmddjes.exe

pid process

2020 fhmddjes.exe
468 fhmddjes.exe
Loads dropped DLL 3 IoCs

Processes:

352ac725d88163238910d2a66480ba6c.exefhmddjes.exe

pid process

1716 352ac725d88163238910d2a66480ba6c.exe
1716 352ac725d88163238910d2a66480ba6c.exe
2020 fhmddjes.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fhmddjes.exe

description pid process target process

PID 2020 set thread context of 468 2020 fhmddjes.exe fhmddjes.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fhmddjes.exe

pid process

2020 fhmddjes.exe

pid	process
2020	fhmddjes.exe
468	fhmddjes.exe

pid	process
1716	352ac725d88163238910d2a66480ba6c.exe
1716	352ac725d88163238910d2a66480ba6c.exe
2020	fhmddjes.exe

description	pid	process	target process
PID 2020 set thread context of 468	2020	fhmddjes.exe	fhmddjes.exe

pid	process
2020	fhmddjes.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

352ac725d88163238910d2a66480ba6c.exefhmddjes.exe

description	pid	process	target process
PID 1716 wrote to memory of 2020	1716	352ac725d88163238910d2a66480ba6c.exe	fhmddjes.exe
PID 1716 wrote to memory of 2020	1716	352ac725d88163238910d2a66480ba6c.exe	fhmddjes.exe
PID 1716 wrote to memory of 2020	1716	352ac725d88163238910d2a66480ba6c.exe	fhmddjes.exe
PID 1716 wrote to memory of 2020	1716	352ac725d88163238910d2a66480ba6c.exe	fhmddjes.exe
PID 2020 wrote to memory of 468	2020	fhmddjes.exe	fhmddjes.exe
PID 2020 wrote to memory of 468	2020	fhmddjes.exe	fhmddjes.exe
PID 2020 wrote to memory of 468	2020	fhmddjes.exe	fhmddjes.exe
PID 2020 wrote to memory of 468	2020	fhmddjes.exe	fhmddjes.exe
PID 2020 wrote to memory of 468	2020	fhmddjes.exe	fhmddjes.exe

C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe
"C:\Users\Admin\AppData\Local\Temp\352ac725d88163238910d2a66480ba6c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe
"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe" C:\Users\Admin\AppData\Local\Temp\xllspynywlj.t
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe
"C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe"
3⤵
- Executes dropped EXE
PID:468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqpdbt.qxd
Filesize
124KB

MD5
8aecd0737f96a0861084a64c7a87e2f9

SHA1
ec678f1ea6aedd1b7862a103a3cf418ab161ff24

SHA256
d5696d0430750f422a5db413ed0eed78f3a6803d51987dea747475883b7630e4

SHA512
1dc65e215d9ba6513ddd3d0f2598fd3f36fe0b8bf6f4afab422e58a0ec3aa9a8696118246b03100d1ea2702e3d9c21a9edde1f704995148f826af93a187ab8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe
Filesize
53KB

MD5
0233a5588c7f0407c6dd82b08525fd69

SHA1
095d082a3995532cf325cfa59f48c73ff2dc0c66

SHA256
bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678

SHA512
592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhmddjes.exe
Filesize
53KB

MD5
0233a5588c7f0407c6dd82b08525fd69

SHA1
095d082a3995532cf325cfa59f48c73ff2dc0c66

SHA256
bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678

SHA512
592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xllspynywlj.t
Filesize
5KB

MD5
4c2be2568d5cc61cad9762d2ced76aa2

SHA1
1799798521ec9a262a45d4ee2cf22d93bb544031

SHA256
5f39570e66f8dc5381d762a10824de9ffa91ca49dfb22b391ceebb786e038497

SHA512
fe188c465c469457a35022e385814da3f97ebd5d689954ac43ba1aa8c90acaa32958ea61148ebf21bc6f69e617c9cb2b40be81ec3682934c62954194bdf3cc27

Download Submit
\Users\Admin\AppData\Local\Temp\fhmddjes.exe
Filesize
53KB

MD5
0233a5588c7f0407c6dd82b08525fd69

SHA1
095d082a3995532cf325cfa59f48c73ff2dc0c66

SHA256
bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678

SHA512
592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2

Download Submit
\Users\Admin\AppData\Local\Temp\fhmddjes.exe
Filesize
53KB

MD5
0233a5588c7f0407c6dd82b08525fd69

SHA1
095d082a3995532cf325cfa59f48c73ff2dc0c66

SHA256
bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678

SHA512
592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2

Download Submit
\Users\Admin\AppData\Local\Temp\fhmddjes.exe
Filesize
53KB

MD5
0233a5588c7f0407c6dd82b08525fd69

SHA1
095d082a3995532cf325cfa59f48c73ff2dc0c66

SHA256
bc2a0007cef6677044ed56325860c36a68925ec96c55cfc1a77d32041f590678

SHA512
592381cfe58d6e6806bebac9686c50348c9fd6a52907b97bc20b3417ebd8313d76110c4165019f6358c94495a90542ba65f5133b80d763381e6c5b217e2abce2

Download Submit
memory/468-64-0x00000000004139DE-mapping.dmp

Download
memory/1716-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors