9a20c73aa2e63089ca6fbd0ea29f16634e25a7d02763413dd9cbfbf558068ce9

General

Target

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
Size

825KB
MD5

30316fe7b005a9290642487257f5d272
SHA1

9853434d6fd84e02caf658b3df7ec9c67f706df4
SHA256

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d
SHA512

d62e86094c9468edea83e2f506c970fe51c29d09f3c893a1233828e277d76278842de0f9737ab6dbe467e979da709a34f78ea5006d54bc2e2e9100e56fa62613
SSDEEP

24576:UEqUtbqFIaESpE8uhmTapaUZoluIaxrwiS2:UVUt5XS4cUZo0zr62

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

pid	process
2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description	pid	process	target process
PID 2028 set thread context of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 set thread context of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Drops file in Windows directory 1 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

description ioc process

File opened for modification C:\Windows\ 1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe

C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
"C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
  "C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
    "C:\Users\Admin\AppData\Local\Temp\1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 856
      4⤵
      PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst4CEA.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\IP.dll

Filesize
85KB

MD5
3ce12db61d191b38ecedfee86120698a

SHA1
1712a069b6a6824cc60ec52c073ba1475854e640

SHA256
e0fcb0b7da1c78124836b7fdd521bb4978a784c56613f807d17de905320df443

SHA512
91d988a69188ed371916e0d096bd165c95f7ae991d2e8113646475226c579ed59a5d4cde6d7189ce72dbde973bd1206974185c1e3449a7ec220b8f47cf3ddbb6

Download Submit
memory/980-69-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-58-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-59-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-61-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-62-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-64-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-66-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/980-67-0x00000000004081F6-mapping.dmp

Download
memory/1160-90-0x0000000000000000-mapping.dmp

Download
memory/1692-74-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-85-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-72-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-93-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-76-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-77-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-80-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-81-0x0000000000472B6E-mapping.dmp

Download
memory/1692-84-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-70-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-86-0x0000000000402000-0x0000000000472C00-memory.dmp

Filesize
451KB

Download
memory/1692-87-0x0000000000402000-0x0000000000472C00-memory.dmp

Filesize
451KB

Download
memory/1692-88-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1692-89-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-92-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2028-57-0x0000000000540000-0x000000000055B000-memory.dmp

Filesize
108KB

Download
memory/2028-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 2028 wrote to memory of 980	2028	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 980 wrote to memory of 1692	980	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe
PID 1692 wrote to memory of 1160	1692	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	dw20.exe
PID 1692 wrote to memory of 1160	1692	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	dw20.exe
PID 1692 wrote to memory of 1160	1692	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	dw20.exe
PID 1692 wrote to memory of 1160	1692	1b6e1188112772c78051e25d51e97db0aba461f6e031cdb98af8f2279731444d.exe	dw20.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads