6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

General

Target

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Size

5.0MB
MD5

25c689e345e4f8112008edeeb50e5b54
SHA1

bd714c54c874280963f49d9c9b0965afb676368b
SHA256

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
SHA512

acd526c5ba60d43672963dceac8ab151d1e74f3f46180b2f5fbb7be377b7a1aba0ce8116e3f4b93f7beab33d265bdf210335b407d4fd5f1c09c6141a4be621fc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeInject32.exe

pid process

3136 Server.sfx.exe
1656 Server.exe
3968 Inject32.exe

pid	process
3136	Server.sfx.exe
1656	Server.exe
3968	Inject32.exe

Drops startup file 2 IoCs

Processes:

Inject32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Inject32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

pid process

492 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

pid	process
492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Server.exeInject32.exe

pid process

1656 Server.exe
3968 Inject32.exe

pid	process
1656	Server.exe
3968	Inject32.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Inject32.exe

description	pid	process
Token: SeDebugPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe
Token: 33	3968	Inject32.exe
Token: SeIncBasePriorityPrivilege	3968	Inject32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exeServer.sfx.exeServer.exe

description	pid	process	target process
PID 492 wrote to memory of 3136	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 492 wrote to memory of 3136	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 492 wrote to memory of 3136	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	Server.sfx.exe
PID 492 wrote to memory of 3772	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 492 wrote to memory of 3772	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 492 wrote to memory of 3772	492	6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe	NOTEPAD.EXE
PID 3136 wrote to memory of 1656	3136	Server.sfx.exe	Server.exe
PID 3136 wrote to memory of 1656	3136	Server.sfx.exe	Server.exe
PID 3136 wrote to memory of 1656	3136	Server.sfx.exe	Server.exe
PID 1656 wrote to memory of 3968	1656	Server.exe	Inject32.exe
PID 1656 wrote to memory of 3968	1656	Server.exe	Inject32.exe
PID 1656 wrote to memory of 3968	1656	Server.exe	Inject32.exe

C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe
"C:\Users\Admin\AppData\Local\Temp\6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:492

C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\Inject32.exe
"C:\Users\Admin\AppData\Local\Temp\Inject32.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\.txt
2⤵
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inject32.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
92fdab908d9711e7a36872207f0a6a67

SHA1
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e

SHA256
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c

SHA512
4e3697aabb41c107118d0dc1d29a0b0a169f803d160fbb187f0ea3318eac58fe5623e3a4356fc238dc03483087498c2972e872c0a85bd5545f030ea2edb0b120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.sfx.exe
MD5
ef2f61fbe6f5595ca042d395ec9a25fd

SHA1
99958a935817acaac882de0ef440533b6641cb77

SHA256
622903bac5905919baea79ae8143c166c297658b2696a0129aedee6a93e6d6a9

SHA512
b34f3f43bb9568e2cc2f54ba2e1bd54e295266c6679b236f1dff7a2beb7f76dff190d4d000e0062e186ad198932b2d13a01762833aaf23c7c01f2e2106587d9e

Download Submit
memory/492-7-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/492-2-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1656-9-0x0000000000000000-mapping.dmp

Download
memory/1656-12-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3136-3-0x0000000000000000-mapping.dmp

Download
memory/3772-5-0x0000000000000000-mapping.dmp

Download
memory/3968-13-0x0000000000000000-mapping.dmp

Download
memory/3968-16-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads