78eafd097228f4ca24f16292f535d37d29155c4c79702dd837b4c1638743491e

General

Target

584249EC870B36FCE92D4906C8003667.exe
Size

3.8MB
MD5

584249ec870b36fce92d4906c8003667
SHA1

b37f1845a490378ec338745dfc4e1de24124b398
SHA256

78eafd097228f4ca24f16292f535d37d29155c4c79702dd837b4c1638743491e
SHA512

658593d8d1f607e306bb40cf637ccfc900a3ed80474b68ae05199b95884f44add3115663d6a22789e62166de05c0788e9a12d35948d5991e7dc90dabda5b5adc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tVSTN5Wrq6Y6MqrT.exe

pid process

860 tVSTN5Wrq6Y6MqrT.exe

pid	process
860	tVSTN5Wrq6Y6MqrT.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exe

pid process

864 584249EC870B36FCE92D4906C8003667.exe
864 584249EC870B36FCE92D4906C8003667.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

584249EC870B36FCE92D4906C8003667.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SafetyFiles = "C:\\Users\\Admin\\AppData\\Local\\SafetyFiles\\SafetyFiles.exe"	584249EC870B36FCE92D4906C8003667.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exe

pid	process
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 29 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exe

pid	process
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe
864	584249EC870B36FCE92D4906C8003667.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exe

description pid process

Token: SeDebugPrivilege 864 584249EC870B36FCE92D4906C8003667.exe
Token: SeShutdownPrivilege 864 584249EC870B36FCE92D4906C8003667.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exe

pid process

864 584249EC870B36FCE92D4906C8003667.exe
864 584249EC870B36FCE92D4906C8003667.exe

description	pid	process
Token: SeDebugPrivilege	864	584249EC870B36FCE92D4906C8003667.exe
Token: SeShutdownPrivilege	864	584249EC870B36FCE92D4906C8003667.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

584249EC870B36FCE92D4906C8003667.exetVSTN5Wrq6Y6MqrT.exe

description	pid	process	target process
PID 864 wrote to memory of 860	864	584249EC870B36FCE92D4906C8003667.exe	tVSTN5Wrq6Y6MqrT.exe
PID 864 wrote to memory of 860	864	584249EC870B36FCE92D4906C8003667.exe	tVSTN5Wrq6Y6MqrT.exe
PID 864 wrote to memory of 860	864	584249EC870B36FCE92D4906C8003667.exe	tVSTN5Wrq6Y6MqrT.exe
PID 864 wrote to memory of 860	864	584249EC870B36FCE92D4906C8003667.exe	tVSTN5Wrq6Y6MqrT.exe
PID 860 wrote to memory of 908	860	tVSTN5Wrq6Y6MqrT.exe	cmd.exe
PID 860 wrote to memory of 908	860	tVSTN5Wrq6Y6MqrT.exe	cmd.exe
PID 860 wrote to memory of 908	860	tVSTN5Wrq6Y6MqrT.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\584249EC870B36FCE92D4906C8003667.exe
"C:\Users\Admin\AppData\Local\Temp\584249EC870B36FCE92D4906C8003667.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe
"C:\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\C8AD.tmp\C8AE.bat C:\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe"
3⤵
- Drops startup file
PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C8AC.tmp\C8AD.tmp\C8AE.bat

MD5
6de010219f0282cc3f70d2aabb8b329b

SHA1
b7951ac792e8a5939ef3e3c4a26553697326452a

SHA256
54d33f85d3512acfdc1898c1b69e0705cfd0c5a35c22e8e3b24f18268ff6ed5b

SHA512
488c49398501e692a4d8f49c125261983265309e840ff72f0db8e4cf082cda6d0ee582d9ab1e3cf99b5191618da25916ba8ec9b003bd76d4bf4512be2e4c5d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe

MD5
08d03e8117588f45b8b7ba30a952d2bd

SHA1
5af1a851a766af2c5dee42487f24de4371d7d523

SHA256
ef5c16e708616b04ce254052aa5becb254a635e19f4b7046576285cf879641f8

SHA512
cabd6d9b35729d12113f6af464e1af8e2af087a8deb79a003a6f6f1952234b8655fc2eb8682d9e3459b66a0fb1150d178fc08e00dceaa8391f58577659dedb2e

Download Submit
C:\Users\Admin\AppData\Roaming\Defender.exe

MD5
c554a78ae0d81816ff9ff841cb006c41

SHA1
da011f7146923b4920c32ceaf97df4b5f87eaf4c

SHA256
72984d19a4b2136de4cd774da7dfc9dc2fa35d48d0ff0ffce30a9875616d0796

SHA512
6a1a25dff6f91b509e0f9b87623a7972c900d05652c3e2a8152a50da1b08e533912b3aadc3a92e48accc3b74576bb657663c29c5e231e10bb1c50de8c8b14de6

Download Submit
C:\Users\Admin\AppData\Roaming\Process.exe

MD5
bfce7290a7afd7b96b5a1e2c474a524d

SHA1
ab57f475f45230631b57b68ff7c5933fefa69ceb

SHA256
881bc742a25c188a8cf652e776e7a7ad17753afd4902caecc7d731664a0da155

SHA512
ac22c5112c143d74af4ee3dea9e5e240a236df972593fe327bfcfa0b7ceebf64f3f6a138ffc10ace188dc0deb38f6564bb96415207df6028d13d2511c1fd24fb

Download Submit
\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe

MD5
08d03e8117588f45b8b7ba30a952d2bd

SHA1
5af1a851a766af2c5dee42487f24de4371d7d523

SHA256
ef5c16e708616b04ce254052aa5becb254a635e19f4b7046576285cf879641f8

SHA512
cabd6d9b35729d12113f6af464e1af8e2af087a8deb79a003a6f6f1952234b8655fc2eb8682d9e3459b66a0fb1150d178fc08e00dceaa8391f58577659dedb2e

Download Submit
\Users\Admin\AppData\Local\Temp\tVSTN5Wrq6Y6MqrT.exe

MD5
08d03e8117588f45b8b7ba30a952d2bd

SHA1
5af1a851a766af2c5dee42487f24de4371d7d523

SHA256
ef5c16e708616b04ce254052aa5becb254a635e19f4b7046576285cf879641f8

SHA512
cabd6d9b35729d12113f6af464e1af8e2af087a8deb79a003a6f6f1952234b8655fc2eb8682d9e3459b66a0fb1150d178fc08e00dceaa8391f58577659dedb2e

Download Submit
memory/860-63-0x0000000000000000-mapping.dmp

Download
memory/860-65-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

Filesize
8KB

Download
memory/864-60-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/908-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads