2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082

General

Target

Mist.Buld_1.exe
Size

388KB
MD5

5c5bfde7bc82aa30b6377b63422b52ca
SHA1

61bcc321594759d282c7aaf84cb7a4a4d116c778
SHA256

2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082
SHA512

9b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

systems32.exe

pid process

1660 systems32.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
9 api.ipify.org
10 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

548 schtasks.exe
1356 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Mist.Buld_1.exesystems32.exe

description pid process

Token: SeDebugPrivilege 1764 Mist.Buld_1.exe
Token: SeDebugPrivilege 1660 systems32.exe

pid	process
1660	systems32.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
9	api.ipify.org
10	api.ipify.org

pid	process
548	schtasks.exe
1356	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1764	Mist.Buld_1.exe
Token: SeDebugPrivilege	1660	systems32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Mist.Buld_1.exetaskeng.exesystems32.exe

description	pid	process	target process
PID 1764 wrote to memory of 548	1764	Mist.Buld_1.exe	schtasks.exe
PID 1764 wrote to memory of 548	1764	Mist.Buld_1.exe	schtasks.exe
PID 1764 wrote to memory of 548	1764	Mist.Buld_1.exe	schtasks.exe
PID 1752 wrote to memory of 1660	1752	taskeng.exe	systems32.exe
PID 1752 wrote to memory of 1660	1752	taskeng.exe	systems32.exe
PID 1752 wrote to memory of 1660	1752	taskeng.exe	systems32.exe
PID 1660 wrote to memory of 1356	1660	systems32.exe	schtasks.exe
PID 1660 wrote to memory of 1356	1660	systems32.exe	schtasks.exe
PID 1660 wrote to memory of 1356	1660	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Mist.Buld_1.exe
"C:\Users\Admin\AppData\Local\Temp\Mist.Buld_1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f
2⤵
- Creates scheduled task(s)
PID:548

C:\Windows\system32\taskeng.exe
taskeng.exe {E85EBA51-2B0B-4745-AE9D-E3AFD0FBFF9C} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
cf3114090cfea0cba4903c82d8dc10d6

SHA1
4e9b14382fc03db860376cd60230e5880d905ff1

SHA256
4663086e4b9ebb2cef9057066d2e5d31ed8007febd58b5513f3f5098e67ce61c

SHA512
7731e1b22b179106afc0bbcc557f2bf9dae4d2ce13fcdf708b35f7c2d2a1e00293b5cf0ec1f7d594943b848a4bc9cc6df16da5610f11160d58f60acb60bfc8d9

Download Submit
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
MD5
5c5bfde7bc82aa30b6377b63422b52ca

SHA1
61bcc321594759d282c7aaf84cb7a4a4d116c778

SHA256
2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082

SHA512
9b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d

Download Submit
C:\Users\Admin\AppData\Roaming\systems32_bit\systems32.exe
MD5
5c5bfde7bc82aa30b6377b63422b52ca

SHA1
61bcc321594759d282c7aaf84cb7a4a4d116c778

SHA256
2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082

SHA512
9b44285cae5ad5445002068b6e07cf4a301796ad81ffb487c3185afee142f3e6fef884ee9331b09bc952026e214b7221074633ff26006a88785124c9f7e7788d

Download Submit
memory/548-4-0x0000000000000000-mapping.dmp

Download
memory/1356-13-0x0000000000000000-mapping.dmp

Download
memory/1660-5-0x0000000000000000-mapping.dmp

Download
memory/1660-8-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1660-9-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/1764-0-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1764-1-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1764-3-0x000000001AD10000-0x000000001ADA5000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads