myfile.exe

General
Target

myfile.exe

Filesize

4MB

Completed

28-08-2020 12:50

Score
8 /10
MD5

0a438448cebd370318b5294775e2405c

SHA1

60abd37bf94ee406653af60e5b72f1f69f646308

SHA256

1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Impact
  • Executes dropped EXE
    HexInformation.exeHexDecryptor.exeHexLocker.exeWindowsSystemTools.exe

    Reported IOCs

    pidprocess
    1812HexInformation.exe
    1800HexDecryptor.exe
    732HexLocker.exe
    844WindowsSystemTools.exe
  • Loads dropped DLL
    cmd.exe

    Reported IOCs

    pidprocess
    1040cmd.exe
  • Enumerates connected drives

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Sets desktop wallpaper using registry
    HexLocker.exeWindowsSystemTools.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"HexLocker.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg"WindowsSystemTools.exe
  • Modifies Control Panel
    WindowsSystemTools.exeHexLocker.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\DesktopWindowsSystemTools.exe
    Key created\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\DesktopHexLocker.exe
  • Suspicious behavior: AddClipboardFormatListener
    POWERPNT.EXE

    Reported IOCs

    pidprocess
    1492POWERPNT.EXE
  • Suspicious behavior: CmdExeWriteProcessMemorySpam
    HexInformation.exeHexDecryptor.exeHexLocker.exe

    Reported IOCs

    pidprocess
    1812HexInformation.exe
    1800HexDecryptor.exe
    732HexLocker.exe
  • Suspicious use of FindShellTrayWindow
    HexInformation.exe

    Reported IOCs

    pidprocess
    1812HexInformation.exe
  • Suspicious use of SetWindowsHookEx
    POWERPNT.EXE

    Reported IOCs

    pidprocess
    1492POWERPNT.EXE
  • Suspicious use of WriteProcessMemory
    myfile.execmd.exeHexDecryptor.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1332 wrote to memory of 10561332myfile.execmd.exe
    PID 1332 wrote to memory of 10561332myfile.execmd.exe
    PID 1332 wrote to memory of 10561332myfile.execmd.exe
    PID 1332 wrote to memory of 10561332myfile.execmd.exe
    PID 1056 wrote to memory of 17041056cmd.exetree.com
    PID 1056 wrote to memory of 17041056cmd.exetree.com
    PID 1056 wrote to memory of 17041056cmd.exetree.com
    PID 1056 wrote to memory of 13561056cmd.exetree.com
    PID 1056 wrote to memory of 13561056cmd.exetree.com
    PID 1056 wrote to memory of 13561056cmd.exetree.com
    PID 1056 wrote to memory of 17841056cmd.exetree.com
    PID 1056 wrote to memory of 17841056cmd.exetree.com
    PID 1056 wrote to memory of 17841056cmd.exetree.com
    PID 1056 wrote to memory of 17561056cmd.exetree.com
    PID 1056 wrote to memory of 17561056cmd.exetree.com
    PID 1056 wrote to memory of 17561056cmd.exetree.com
    PID 1056 wrote to memory of 18201056cmd.exetree.com
    PID 1056 wrote to memory of 18201056cmd.exetree.com
    PID 1056 wrote to memory of 18201056cmd.exetree.com
    PID 1056 wrote to memory of 18121056cmd.exeHexInformation.exe
    PID 1056 wrote to memory of 18121056cmd.exeHexInformation.exe
    PID 1056 wrote to memory of 18121056cmd.exeHexInformation.exe
    PID 1056 wrote to memory of 18121056cmd.exeHexInformation.exe
    PID 1056 wrote to memory of 18001056cmd.exeHexDecryptor.exe
    PID 1056 wrote to memory of 18001056cmd.exeHexDecryptor.exe
    PID 1056 wrote to memory of 18001056cmd.exeHexDecryptor.exe
    PID 1056 wrote to memory of 18001056cmd.exeHexDecryptor.exe
    PID 1056 wrote to memory of 7321056cmd.exeHexLocker.exe
    PID 1056 wrote to memory of 7321056cmd.exeHexLocker.exe
    PID 1056 wrote to memory of 7321056cmd.exeHexLocker.exe
    PID 1056 wrote to memory of 7321056cmd.exeHexLocker.exe
    PID 1800 wrote to memory of 10401800HexDecryptor.execmd.exe
    PID 1800 wrote to memory of 10401800HexDecryptor.execmd.exe
    PID 1800 wrote to memory of 10401800HexDecryptor.execmd.exe
    PID 1800 wrote to memory of 10401800HexDecryptor.execmd.exe
    PID 1040 wrote to memory of 8441040cmd.exeWindowsSystemTools.exe
    PID 1040 wrote to memory of 8441040cmd.exeWindowsSystemTools.exe
    PID 1040 wrote to memory of 8441040cmd.exeWindowsSystemTools.exe
    PID 1040 wrote to memory of 8441040cmd.exeWindowsSystemTools.exe
Processes 13
  • C:\Users\Admin\AppData\Local\Temp\myfile.exe
    "C:\Users\Admin\AppData\Local\Temp\myfile.exe"
    Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"
      Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\system32\tree.com
        tree
        PID:1704
      • C:\Windows\system32\tree.com
        tree
        PID:1356
      • C:\Windows\system32\tree.com
        tree
        PID:1784
      • C:\Windows\system32\tree.com
        tree
        PID:1756
      • C:\Windows\system32\tree.com
        tree
        PID:1820
      • C:\Users\Admin\Desktop\HexInformation.exe
        HexInformation.exe
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of FindShellTrayWindow
        PID:1812
      • C:\Users\Admin\Desktop\HexDecryptor.exe
        HexDecryptor.exe
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat C:\Users\Admin\Desktop\HexDecryptor.exe"
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
            WindowsSystemTools.exe
            Executes dropped EXE
            Sets desktop wallpaper using registry
            Modifies Control Panel
            PID:844
      • C:\Users\Admin\Desktop\HexLocker.exe
        HexLocker.exe
        Executes dropped EXE
        Sets desktop wallpaper using registry
        Modifies Control Panel
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:732
  • C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx"
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:1492
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads