ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb

General

Target

ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe
Size

1.6MB
MD5

b6c64113705e6a47fae4030961e351ec
SHA1

4cc602102278574a3bd42fd2e21d5faeb27bf8bb
SHA256

ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb
SHA512

f7a5e4fa408f8326c039662051421b393d7d009a8bfede71f0454603ea0c42cc35c5195ef6fda948620fc7fbd5112d0e9c92a9c858b815911d5384b9ba473303
SSDEEP

24576:PgZXoZUTVdt7K7Ubwx1YiPuC8W1xfs568qtyz+V5zeX1LnGLz8oDEv7Q72y0f:u5wxiiP8Ux0k7yCz+tnoooDETQMf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2332	rundll32.exe
2332	rundll32.exe
2712	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2144	1604	ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe	66
PID 1604 wrote to memory of 2144	1604	ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe	66
PID 1604 wrote to memory of 2144	1604	ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe	66
PID 2144 wrote to memory of 2332	2144	control.exe	67
PID 2144 wrote to memory of 2332	2144	control.exe	67
PID 2144 wrote to memory of 2332	2144	control.exe	67
PID 2332 wrote to memory of 2676	2332	rundll32.exe	68
PID 2332 wrote to memory of 2676	2332	rundll32.exe	68
PID 2676 wrote to memory of 2712	2676	RunDll32.exe	69
PID 2676 wrote to memory of 2712	2676	RunDll32.exe	69
PID 2676 wrote to memory of 2712	2676	RunDll32.exe	69

C:\Users\Admin\AppData\Local\Temp\ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe
"C:\Users\Admin\AppData\Local\Temp\ebe1461efc6d3c59317952b362dea27082c493ce5e0b21fc501c8d8b1e1ca0eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" .\hT9zY.3WT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\hT9zY.3WT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\hT9zY.3WT
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\hT9zY.3WT
        5⤵
        Loads dropped DLL
        
        PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hT9zY.3WT

Filesize
1.1MB

MD5
d85fe44b916c1c501f0d771db7fb00dc

SHA1
901a0281382606c6465cae323ae1ce42704b54a8

SHA256
c52cc0e072edf05e9556a6a99685c9f7736fb554b4660458755599a56d9d5952

SHA512
4c7fb0488a6494146eb9adfffa4a1073135ca31ce00e9e596695418b099764ca3fc5b6c33ff04e26ab483d76bd6b7ff886befb364ad24253c61e9d96f139a17d

Download Submit
\Users\Admin\AppData\Local\Temp\hT9zY.3wT

Filesize
1.1MB

MD5
d85fe44b916c1c501f0d771db7fb00dc

SHA1
901a0281382606c6465cae323ae1ce42704b54a8

SHA256
c52cc0e072edf05e9556a6a99685c9f7736fb554b4660458755599a56d9d5952

SHA512
4c7fb0488a6494146eb9adfffa4a1073135ca31ce00e9e596695418b099764ca3fc5b6c33ff04e26ab483d76bd6b7ff886befb364ad24253c61e9d96f139a17d

Download Submit
\Users\Admin\AppData\Local\Temp\hT9zY.3wT

Filesize
1.1MB

MD5
d85fe44b916c1c501f0d771db7fb00dc

SHA1
901a0281382606c6465cae323ae1ce42704b54a8

SHA256
c52cc0e072edf05e9556a6a99685c9f7736fb554b4660458755599a56d9d5952

SHA512
4c7fb0488a6494146eb9adfffa4a1073135ca31ce00e9e596695418b099764ca3fc5b6c33ff04e26ab483d76bd6b7ff886befb364ad24253c61e9d96f139a17d

Download Submit
\Users\Admin\AppData\Local\Temp\hT9zY.3wT

Filesize
1.1MB

MD5
d85fe44b916c1c501f0d771db7fb00dc

SHA1
901a0281382606c6465cae323ae1ce42704b54a8

SHA256
c52cc0e072edf05e9556a6a99685c9f7736fb554b4660458755599a56d9d5952

SHA512
4c7fb0488a6494146eb9adfffa4a1073135ca31ce00e9e596695418b099764ca3fc5b6c33ff04e26ab483d76bd6b7ff886befb364ad24253c61e9d96f139a17d

Download Submit
memory/2332-136-0x0000000004800000-0x00000000048C9000-memory.dmp

Filesize
804KB

Download
memory/2332-131-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

Filesize
24KB

Download
memory/2332-132-0x0000000004710000-0x00000000047EF000-memory.dmp

Filesize
892KB

Download
memory/2332-133-0x0000000004800000-0x00000000048C9000-memory.dmp

Filesize
804KB

Download
memory/2332-129-0x00000000043D0000-0x00000000044EB000-memory.dmp

Filesize
1.1MB

Download
memory/2332-137-0x0000000004800000-0x00000000048C9000-memory.dmp

Filesize
804KB

Download
memory/2332-128-0x00000000043D0000-0x00000000044EB000-memory.dmp

Filesize
1.1MB

Download
memory/2712-139-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2712-141-0x0000000002FF0000-0x0000000002FF6000-memory.dmp

Filesize
24KB

Download
memory/2712-142-0x0000000005350000-0x000000000542F000-memory.dmp

Filesize
892KB

Download
memory/2712-143-0x0000000005430000-0x00000000054F9000-memory.dmp

Filesize
804KB

Download
memory/2712-146-0x0000000005430000-0x00000000054F9000-memory.dmp

Filesize
804KB

Download
memory/2712-147-0x0000000005430000-0x00000000054F9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing