353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5

General

Target

353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Size

948KB
MD5

406b8fc9103a93ea1a18e5c37370137c
SHA1

a512b771879afc2302c5c837ff96546921313dc9
SHA256

353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5
SHA512

1655d4174ffeb773c633e3a744aabd15beed459c27b634c0f5e3d11532031b65089bef39955b77bb908270317950fbaf6a784a9534c458dfce6024224f4d547b
SSDEEP

24576:CN1ZEwSKk3Os2Iv+mbEcl00kC8aFZsTV9U3R1XSzcPUntyhyzMc:c1O/Os2W+mbdl00kpaZsTV9U3vXSYPU7

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 22 IoCs

Processes:

353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\mu1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\fj1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\opfileOneA	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1943524157\lk1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\filebak	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1943524157\sx1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\opfilejlA	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\syys6.9.5.syw	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\filebak	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\lk1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1943524157\mu1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\yadviser.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\opfilejlA	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1943524157\sx1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\opfileOneA	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1943524157\1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1943524157\fj1943524157.tmp	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

pid	process
1876	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
1876	353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe

C:\Users\Admin\AppData\Local\Temp\353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe
"C:\Users\Admin\AppData\Local\Temp\353f2348aa803833576219b957702d9eb19c64ee55f3d460bf5ceb56f407c7c5.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20295\3449\15041\1943524157\·¿µØ²ú¿ª·¢ÆóÒµ»á¼Æ¸¨µ¼.htm
Filesize
24KB

MD5
bca2bf77034421050a3c23efeb179fdd

SHA1
5fcdc3c4a4648d752229ed6a248c29c49dc05cc8

SHA256
877dd943e658ed5530e0f102790e844161e26fd59e1a9d2e18c2fefb50731b62

SHA512
d6a64b388bdfc2cd34a2efcdfa8562bddbd9f1d449f5753066e126d50a7c8d17959fa28c93c423c74a9eb02b2c8148eb54891e93d41b0053c0188fff9cb11229

Download Submit
memory/1876-133-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1876-176-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1876-179-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1876-180-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1876-192-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads