201001-nyhbt4p25j_pw_infected[.]rar

Executes dropped EXE 1 IoCs

Processes:

Keygen.exe

pid process

1372 Keygen.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1860 timeout.exe
1008 timeout.exe

pid	process
1372	Keygen.exe

pid	process
1508	cmd.exe

pid	process
1860	timeout.exe
1008	timeout.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Keygen — копия (96) — копия.execmd.exe

description	pid	process	target process
PID 1316 wrote to memory of 1508	1316	Keygen — копия (96) — копия.exe	cmd.exe
PID 1316 wrote to memory of 1508	1316	Keygen — копия (96) — копия.exe	cmd.exe
PID 1316 wrote to memory of 1508	1316	Keygen — копия (96) — копия.exe	cmd.exe
PID 1316 wrote to memory of 1508	1316	Keygen — копия (96) — копия.exe	cmd.exe
PID 1508 wrote to memory of 1372	1508	cmd.exe	Keygen.exe
PID 1508 wrote to memory of 1372	1508	cmd.exe	Keygen.exe
PID 1508 wrote to memory of 1372	1508	cmd.exe	Keygen.exe
PID 1508 wrote to memory of 1372	1508	cmd.exe	Keygen.exe
PID 1508 wrote to memory of 1848	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1848	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1848	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1848	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1732	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1732	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1732	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1732	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1860	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1860	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1860	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1860	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 620	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 620	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 620	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 620	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1220	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1220	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1220	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1220	1508	cmd.exe	mshta.exe
PID 1508 wrote to memory of 1008	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1008	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1008	1508	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1008	1508	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — копия (96) — копия.exe
"C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — копия (96) — копия.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DF57.tmp\start.bat" "C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — ????? (96) — ?????.exe""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\DF57.tmp\Keygen.exe
Keygen.exe
3⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\DF57.tmp\m.hta"
3⤵
PID:1848

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\DF57.tmp\m1.hta"
3⤵
PID:1732

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\DF57.tmp\b.hta"
3⤵
PID:620

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\DF57.tmp\b1.hta"
3⤵
PID:1220

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DF57.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF57.tmp\start.bat

Download Submit
\Users\Admin\AppData\Local\Temp\DF57.tmp\Keygen.exe

Download Submit
memory/620-13-0x0000000000000000-mapping.dmp

Download
memory/1008-16-0x0000000000000000-mapping.dmp

Download
memory/1220-15-0x0000000000000000-mapping.dmp

Download
memory/1372-4-0x0000000000000000-mapping.dmp

Download
memory/1372-5-0x0000000000000000-mapping.dmp

Download
memory/1508-0-0x0000000000000000-mapping.dmp

Download
memory/1732-10-0x0000000000000000-mapping.dmp

Download
memory/1848-8-0x0000000000000000-mapping.dmp

Download
memory/1860-11-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads