9755b75a23a85e19954802f757b2f86e5dde5bd661e7dbed2141d89090da924e

General

Target

Ention FULL.exe
Size

6.2MB
MD5

3afdd7b7018fff0ff6c7d378ddc641d6
SHA1

2915697b0e41ec983e489166152cdddf8a13a5f7
SHA256

9755b75a23a85e19954802f757b2f86e5dde5bd661e7dbed2141d89090da924e
SHA512

04435208aa767888c296d007ba25711f5d21d2edc38a6c3271ad8b10d33516f67b04c60f579a5ad48ef34fa09e380b7cd2b0d9959591875b1aae14efb118fed4
SSDEEP

98304:x7LLFjNI2/wH2ra222JahmMcvjDovOiovQVginsS7RCcUy43pk3VnbpL:RZjGuwH2ra0JahCDo209k8spi5pL

Score

7^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Ention.exeLocker.exe

pid process

3660 Ention.exe
2136 Locker.exe

pid	process
3660	Ention.exe
2136	Locker.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Locker.exe

description	ioc	process
File opened (read-only)	\??\x:	Locker.exe
File opened (read-only)	\??\z:	Locker.exe
File opened (read-only)	\??\a:	Locker.exe
File opened (read-only)	\??\i:	Locker.exe
File opened (read-only)	\??\j:	Locker.exe
File opened (read-only)	\??\l:	Locker.exe
File opened (read-only)	\??\r:	Locker.exe
File opened (read-only)	\??\w:	Locker.exe
File opened (read-only)	\??\e:	Locker.exe
File opened (read-only)	\??\q:	Locker.exe
File opened (read-only)	\??\t:	Locker.exe
File opened (read-only)	\??\u:	Locker.exe
File opened (read-only)	\??\g:	Locker.exe
File opened (read-only)	\??\h:	Locker.exe
File opened (read-only)	\??\o:	Locker.exe
File opened (read-only)	\??\v:	Locker.exe
File opened (read-only)	\??\y:	Locker.exe
File opened (read-only)	\??\b:	Locker.exe
File opened (read-only)	\??\k:	Locker.exe
File opened (read-only)	\??\m:	Locker.exe
File opened (read-only)	\??\n:	Locker.exe
File opened (read-only)	\??\p:	Locker.exe
File opened (read-only)	\??\s:	Locker.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/4256-0-0x0000000000400000-0x0000000000A31000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Locker.exe	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Locker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	Locker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Control Panel 1 IoCs
evasion

Processes:

Locker.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop Locker.exe
Modifies registry class 1 IoCs

Processes:

Ention.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings Ention.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop	Locker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Ention.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Ention FULL.exeEntion.exe

description	pid	process	target process
PID 4256 wrote to memory of 3660	4256	Ention FULL.exe	Ention.exe
PID 4256 wrote to memory of 3660	4256	Ention FULL.exe	Ention.exe
PID 4256 wrote to memory of 3660	4256	Ention FULL.exe	Ention.exe
PID 4256 wrote to memory of 2136	4256	Ention FULL.exe	Locker.exe
PID 4256 wrote to memory of 2136	4256	Ention FULL.exe	Locker.exe
PID 4256 wrote to memory of 2136	4256	Ention FULL.exe	Locker.exe
PID 3660 wrote to memory of 3448	3660	Ention.exe	NOTEPAD.EXE
PID 3660 wrote to memory of 3448	3660	Ention.exe	NOTEPAD.EXE
PID 3660 wrote to memory of 3448	3660	Ention.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Ention FULL.exe
"C:\Users\Admin\AppData\Local\Temp\Ention FULL.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\Ention.exe
"C:\Users\Admin\AppData\Local\Temp\Ention.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt
3⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\Locker.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ention.exe

Filesize
3.3MB

MD5
f3190916167cb54a187814271f35b77b

SHA1
a8d0b0713347145bb961f2d42c049924be24e101

SHA256
0b4b213d68fb24ab6c2b9cc889b20f3662b79eb2dac519f00d2d97bdd10f6e46

SHA512
a5b728ec6f0619bd2061ec71b2460e2c99621443e1c39a8c88f043be949db26161a5b7a4baa52e5fa2bd6014b7bf971130df19722580dbc73c6483f0495e4921

Download Submit
C:\Users\Admin\AppData\Local\Temp\Locker.exe

Filesize
793KB

MD5
a83185ef7c03bfe0e0fbe10098876a34

SHA1
b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d

SHA256
7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be

SHA512
283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\autF443.tmp

Filesize
138KB

MD5
7c30424c525cb64760083e066ca1f77d

SHA1
69c369028e3db4fe5c2fbc69cbd837d66496c480

SHA256
b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643

SHA512
59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

Filesize
331B

MD5
e7cf6700045181cb6889772d0d915586

SHA1
ec2478210baee9d7e7ac72d43b66ce642ffc4147

SHA256
3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed

SHA512
79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352

Download Submit
memory/3660-12-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/4256-0-0x0000000000400000-0x0000000000A31000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads