6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369

General

Target

6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe
Size

641KB
MD5

70783bbbf9b8c0ca1eef9fc4ca3fde52
SHA1

09f3f7719f88934a6782cded2e56f698ca4571f9
SHA256

6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369
SHA512

0df73319398bf4faaed476f306f38a48da62b69a6f726ec9ff0649795b04e2725c279baa6835dee543bba70c8566ce2c2db103e7f0b0c2e59d84b67440c52123

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

wincommon.execmd.exe

pid process

528 wincommon.exe
1412 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

544 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
528	wincommon.exe
1412	cmd.exe

pid	process
544	cmd.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1088	schtasks.exe
1976	schtasks.exe
1624	schtasks.exe
1572	schtasks.exe
1540	schtasks.exe
1728	schtasks.exe
284	schtasks.exe
652	schtasks.exe
1176	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wincommon.execmd.exe

pid process

528 wincommon.exe
1412 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wincommon.execmd.exe

description pid process

Token: SeDebugPrivilege 528 wincommon.exe
Token: SeDebugPrivilege 1412 cmd.exe

pid	process
528	wincommon.exe
1412	cmd.exe

description	pid	process
Token: SeDebugPrivilege	528	wincommon.exe
Token: SeDebugPrivilege	1412	cmd.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exeWScript.execmd.exewincommon.exe

description	pid	process	target process
PID 1924 wrote to memory of 1580	1924	6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe	WScript.exe
PID 1924 wrote to memory of 1580	1924	6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe	WScript.exe
PID 1924 wrote to memory of 1580	1924	6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe	WScript.exe
PID 1924 wrote to memory of 1580	1924	6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe	WScript.exe
PID 1580 wrote to memory of 544	1580	WScript.exe	cmd.exe
PID 1580 wrote to memory of 544	1580	WScript.exe	cmd.exe
PID 1580 wrote to memory of 544	1580	WScript.exe	cmd.exe
PID 1580 wrote to memory of 544	1580	WScript.exe	cmd.exe
PID 544 wrote to memory of 528	544	cmd.exe	wincommon.exe
PID 544 wrote to memory of 528	544	cmd.exe	wincommon.exe
PID 544 wrote to memory of 528	544	cmd.exe	wincommon.exe
PID 544 wrote to memory of 528	544	cmd.exe	wincommon.exe
PID 528 wrote to memory of 1572	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1572	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1572	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1540	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1540	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1540	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1088	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1088	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1088	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1976	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1976	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1976	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1728	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1728	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1728	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1624	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1624	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1624	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 284	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 284	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 284	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 652	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 652	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 652	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1176	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1176	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1176	528	wincommon.exe	schtasks.exe
PID 528 wrote to memory of 1412	528	wincommon.exe	cmd.exe
PID 528 wrote to memory of 1412	528	wincommon.exe	cmd.exe
PID 528 wrote to memory of 1412	528	wincommon.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe
"C:\Users\Admin\AppData\Local\Temp\6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\commonref\LkqMbGhS14hxp7ELBHHxxK4LbISg5h.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\commonref\vHX7vhBjlyrejsy8WfOHNgBf7PQh53.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544

C:\commonref\wincommon.exe
"C:\commonref\wincommon.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\9f428062-1991-11eb-b2ba-ee401b9e63cb\cmd.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\9f428062-1991-11eb-b2ba-ee401b9e63cb\csrss.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Documents and Settings\winlogon.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1176

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe
"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe
MD5
ea51de51189262cb3cdfdffa721a5bc4

SHA1
3cc488d505d6eadda4033b1c0abc85c9804b0fca

SHA256
38a7efe54a4996aa3eaa18c5dd21f1293fd8634753423bf4a59127c70fa89365

SHA512
96edafc5334a4bc8f89155471230d2e74626430a153bca84cb82c6b87654aff467b64bbb299d0eaecfbb9d0e76c929e9f2abfdeef4ad50e950e862aaa0be569b

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\cmd.exe
MD5
ea51de51189262cb3cdfdffa721a5bc4

SHA1
3cc488d505d6eadda4033b1c0abc85c9804b0fca

SHA256
38a7efe54a4996aa3eaa18c5dd21f1293fd8634753423bf4a59127c70fa89365

SHA512
96edafc5334a4bc8f89155471230d2e74626430a153bca84cb82c6b87654aff467b64bbb299d0eaecfbb9d0e76c929e9f2abfdeef4ad50e950e862aaa0be569b

Download Submit
C:\commonref\LkqMbGhS14hxp7ELBHHxxK4LbISg5h.vbe
MD5
7efe5ddfbf439917d880360f87bfa1d4

SHA1
0ec425dc1f3b594e7ac8c57a8ffe37879a3ae69b

SHA256
ec4c2752dfc39487f9d390d33a7ae4a357fecef825cfbf3cad956a6b30590f6d

SHA512
029af305fa894da990b1d9d8280bc8dfcc66ea7db6d39304ab992fc4862d64d89117b417d63a94cb3b7980d61cad38caa999d6bd7bfc9464fd10261fbf359daf

Download Submit
C:\commonref\vHX7vhBjlyrejsy8WfOHNgBf7PQh53.bat
MD5
bcb78deb5c49043f240f149887fa94a6

SHA1
223068646b62e35653e6ef0c31b1b0c23412fdf8

SHA256
f2088e9a85c7fee83971a00f24eb0145d9b235d5baf5462aeca3d72d5ac59b75

SHA512
80f3c7db9afc841412ddaf845bbac0bceab0827603a5ac0c1498f4c1f3886fc636fbe52d64978e90aa69454f7ce36523deb3f27951340dc5be8cff2de84d657e

Download Submit
C:\commonref\wincommon.exe
MD5
ea51de51189262cb3cdfdffa721a5bc4

SHA1
3cc488d505d6eadda4033b1c0abc85c9804b0fca

SHA256
38a7efe54a4996aa3eaa18c5dd21f1293fd8634753423bf4a59127c70fa89365

SHA512
96edafc5334a4bc8f89155471230d2e74626430a153bca84cb82c6b87654aff467b64bbb299d0eaecfbb9d0e76c929e9f2abfdeef4ad50e950e862aaa0be569b

Download Submit
C:\commonref\wincommon.exe
MD5
ea51de51189262cb3cdfdffa721a5bc4

SHA1
3cc488d505d6eadda4033b1c0abc85c9804b0fca

SHA256
38a7efe54a4996aa3eaa18c5dd21f1293fd8634753423bf4a59127c70fa89365

SHA512
96edafc5334a4bc8f89155471230d2e74626430a153bca84cb82c6b87654aff467b64bbb299d0eaecfbb9d0e76c929e9f2abfdeef4ad50e950e862aaa0be569b

Download Submit
\commonref\wincommon.exe
MD5
ea51de51189262cb3cdfdffa721a5bc4

SHA1
3cc488d505d6eadda4033b1c0abc85c9804b0fca

SHA256
38a7efe54a4996aa3eaa18c5dd21f1293fd8634753423bf4a59127c70fa89365

SHA512
96edafc5334a4bc8f89155471230d2e74626430a153bca84cb82c6b87654aff467b64bbb299d0eaecfbb9d0e76c929e9f2abfdeef4ad50e950e862aaa0be569b

Download Submit
memory/284-23-0x0000000000000000-mapping.dmp

Download
memory/528-10-0x0000000000000000-mapping.dmp

Download
memory/528-13-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/528-14-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/528-16-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/544-7-0x0000000000000000-mapping.dmp

Download
memory/652-24-0x0000000000000000-mapping.dmp

Download
memory/1088-19-0x0000000000000000-mapping.dmp

Download
memory/1176-25-0x0000000000000000-mapping.dmp

Download
memory/1412-26-0x0000000000000000-mapping.dmp

Download
memory/1412-29-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/1412-30-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1412-32-0x000000001B590000-0x000000001B592000-memory.dmp

Filesize
8KB

Download
memory/1540-18-0x0000000000000000-mapping.dmp

Download
memory/1572-17-0x0000000000000000-mapping.dmp

Download
memory/1580-8-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/1580-3-0x0000000000000000-mapping.dmp

Download
memory/1624-22-0x0000000000000000-mapping.dmp

Download
memory/1728-21-0x0000000000000000-mapping.dmp

Download
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1976-20-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads