f90072375238d4883d4116dc9900751ac431ad8322e0fd58323a82ec5d69cbe4

General

Target

12a4c7c6742cbd46487d9960b79a7e65.exe
Size

908KB
MD5

12a4c7c6742cbd46487d9960b79a7e65
SHA1

8175c5eb646937158646dbe603a7e8bfbc50110f
SHA256

f90072375238d4883d4116dc9900751ac431ad8322e0fd58323a82ec5d69cbe4
SHA512

c6b364c467f9d5e470debb6c40e2426dd410ca7da3fdd68ab3da0f1e0c2e080876ee6006a90371965be27897b7ecd304da42b69e13fa9cc4a9035fb35ceac3f9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

1992 Decoder.exe
246860 systems32.exe

pid	process
1992	Decoder.exe
246860	systems32.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

320 schtasks.exe
247124 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1728 timeout.exe
672 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

1992 Decoder.exe
246860 systems32.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

pid	process
320	schtasks.exe
247124	schtasks.exe

pid	process
1728	timeout.exe
672	timeout.exe

pid	process
1992	Decoder.exe
246860	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

12a4c7c6742cbd46487d9960b79a7e65.exeDecoder.exesystems32.exe

description	pid	process
Token: SeDebugPrivilege	1160	12a4c7c6742cbd46487d9960b79a7e65.exe
Token: SeDebugPrivilege	1992	Decoder.exe
Token: SeDebugPrivilege	246860	systems32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

12a4c7c6742cbd46487d9960b79a7e65.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	process	target process
PID 1160 wrote to memory of 1992	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	Decoder.exe
PID 1160 wrote to memory of 1992	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	Decoder.exe
PID 1160 wrote to memory of 1992	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	Decoder.exe
PID 1160 wrote to memory of 1980	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1160 wrote to memory of 1980	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1160 wrote to memory of 1980	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1160 wrote to memory of 1968	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1160 wrote to memory of 1968	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1160 wrote to memory of 1968	1160	12a4c7c6742cbd46487d9960b79a7e65.exe	cmd.exe
PID 1980 wrote to memory of 1728	1980	cmd.exe	timeout.exe
PID 1980 wrote to memory of 1728	1980	cmd.exe	timeout.exe
PID 1980 wrote to memory of 1728	1980	cmd.exe	timeout.exe
PID 1968 wrote to memory of 672	1968	cmd.exe	timeout.exe
PID 1968 wrote to memory of 672	1968	cmd.exe	timeout.exe
PID 1968 wrote to memory of 672	1968	cmd.exe	timeout.exe
PID 1992 wrote to memory of 320	1992	Decoder.exe	schtasks.exe
PID 1992 wrote to memory of 320	1992	Decoder.exe	schtasks.exe
PID 1992 wrote to memory of 320	1992	Decoder.exe	schtasks.exe
PID 246344 wrote to memory of 246860	246344	taskeng.exe	systems32.exe
PID 246344 wrote to memory of 246860	246344	taskeng.exe	systems32.exe
PID 246344 wrote to memory of 246860	246344	taskeng.exe	systems32.exe
PID 246860 wrote to memory of 247124	246860	systems32.exe	schtasks.exe
PID 246860 wrote to memory of 247124	246860	systems32.exe	schtasks.exe
PID 246860 wrote to memory of 247124	246860	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\12a4c7c6742cbd46487d9960b79a7e65.exe
"C:\Users\Admin\AppData\Local\Temp\12a4c7c6742cbd46487d9960b79a7e65.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:320

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13BC.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:672

C:\Windows\system32\taskeng.exe
taskeng.exe {4CB5AAC4-534C-4006-A50A-60E750C43C51} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:246344

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:246860

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:247124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13BC.tmp.cmd
MD5
d28c2247a491e29cf663b0cc2c203e15

SHA1
36c00d0e35fe45c1c18a763bd0e57fe3a559079f

SHA256
69e3147ba5f7c27d60d80fcbb57f22ab18e60416892aa515a0b85f86f0d742f6

SHA512
f325fd3bf3cf495302192e1e1f29355df551d36e7a487db8cf1727ab561c5f2718de5ade44e83785f3463a73f42a4cb27b2981bae3fa5a9807b6bbd312966bb0

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe
MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/320-16-0x0000000000000000-mapping.dmp

Download
memory/672-15-0x0000000000000000-mapping.dmp

Download
memory/1160-3-0x0000000000B40000-0x0000000000BB0000-memory.dmp

Filesize
448KB

Download
memory/1160-1-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1160-0-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-13-0x0000000000000000-mapping.dmp

Download
memory/1968-8-0x0000000000000000-mapping.dmp

Download
memory/1980-6-0x0000000000000000-mapping.dmp

Download
memory/1992-10-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1992-9-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1992-4-0x0000000000000000-mapping.dmp

Download
memory/246860-17-0x0000000000000000-mapping.dmp

Download
memory/246860-20-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/246860-21-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/247124-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads