d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c

General

Target

39E980BB186A6091FC6C64F2EE571EB9.exe
Size

113KB
MD5

39e980bb186a6091fc6c64f2ee571eb9
SHA1

d4af568a8da9299f51f468f272a7650a1a0439d9
SHA256

d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
SHA512

41e0d7f9ccd326af3f60d83f5ab213f2201a41f86b5878a5b02e57684c0e118430e606cf132ac44e5493ffffea7b9a95b84130e52cfd6fa0cf5c7aec0995d563

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

build.exeTcpMonitor.exe

pid process

840 build.exe
436 TcpMonitor.exe

pid	process
840	build.exe
436	TcpMonitor.exe

Drops startup file 2 IoCs

Processes:

build.exeTcpMonitor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	build.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	TcpMonitor.exe

Loads dropped DLL 1 IoCs

Processes:

build.exe

pid process

840 build.exe

pid	process
840	build.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

build.exeTcpMonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TcpMonitor.exe"	build.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	TcpMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	TcpMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	TcpMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	TcpMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

TcpMonitor.exe

description	pid	process
Token: SeDebugPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe
Token: 33	436	TcpMonitor.exe
Token: SeIncBasePriorityPrivilege	436	TcpMonitor.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

39E980BB186A6091FC6C64F2EE571EB9.exebuild.exe

description	pid	process	target process
PID 1864 wrote to memory of 840	1864	39E980BB186A6091FC6C64F2EE571EB9.exe	build.exe
PID 1864 wrote to memory of 840	1864	39E980BB186A6091FC6C64F2EE571EB9.exe	build.exe
PID 1864 wrote to memory of 840	1864	39E980BB186A6091FC6C64F2EE571EB9.exe	build.exe
PID 1864 wrote to memory of 840	1864	39E980BB186A6091FC6C64F2EE571EB9.exe	build.exe
PID 840 wrote to memory of 436	840	build.exe	TcpMonitor.exe
PID 840 wrote to memory of 436	840	build.exe	TcpMonitor.exe
PID 840 wrote to memory of 436	840	build.exe	TcpMonitor.exe
PID 840 wrote to memory of 436	840	build.exe	TcpMonitor.exe
PID 840 wrote to memory of 1496	840	build.exe	attrib.exe
PID 840 wrote to memory of 1496	840	build.exe	attrib.exe
PID 840 wrote to memory of 1496	840	build.exe	attrib.exe
PID 840 wrote to memory of 1496	840	build.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1496 attrib.exe

pid	process
1496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\39E980BB186A6091FC6C64F2EE571EB9.exe
"C:\Users\Admin\AppData\Local\Temp\39E980BB186A6091FC6C64F2EE571EB9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\build.exe
"C:\Users\Admin\AppData\Local\build.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\TcpMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\TcpMonitor.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\TcpMonitor.exe"
3⤵
- Views/modifies file attributes
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TcpMonitor.exe
MD5
9b653300438290176398ea063b7cd2d1

SHA1
a108da0b9a2f3abc3ef4d0a30bbecdac36a2e950

SHA256
65e4a2b1b291a3dc72958875bbcc8fafcfd11182a518670c54eb9eb4db586b7e

SHA512
74243b83dfea27ceae693618d57d182c85aa3e3d44a1bab821a658e62cfc949a2b1af51bc6c671b4940af25478b736d319deb87007a8aef0e83799ab40e669e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TcpMonitor.exe
MD5
9b653300438290176398ea063b7cd2d1

SHA1
a108da0b9a2f3abc3ef4d0a30bbecdac36a2e950

SHA256
65e4a2b1b291a3dc72958875bbcc8fafcfd11182a518670c54eb9eb4db586b7e

SHA512
74243b83dfea27ceae693618d57d182c85aa3e3d44a1bab821a658e62cfc949a2b1af51bc6c671b4940af25478b736d319deb87007a8aef0e83799ab40e669e3

Download Submit
C:\Users\Admin\AppData\Local\build.exe
MD5
9b653300438290176398ea063b7cd2d1

SHA1
a108da0b9a2f3abc3ef4d0a30bbecdac36a2e950

SHA256
65e4a2b1b291a3dc72958875bbcc8fafcfd11182a518670c54eb9eb4db586b7e

SHA512
74243b83dfea27ceae693618d57d182c85aa3e3d44a1bab821a658e62cfc949a2b1af51bc6c671b4940af25478b736d319deb87007a8aef0e83799ab40e669e3

Download Submit
C:\Users\Admin\AppData\Local\build.exe
MD5
9b653300438290176398ea063b7cd2d1

SHA1
a108da0b9a2f3abc3ef4d0a30bbecdac36a2e950

SHA256
65e4a2b1b291a3dc72958875bbcc8fafcfd11182a518670c54eb9eb4db586b7e

SHA512
74243b83dfea27ceae693618d57d182c85aa3e3d44a1bab821a658e62cfc949a2b1af51bc6c671b4940af25478b736d319deb87007a8aef0e83799ab40e669e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
429326ce4ac14b57236e0aeb7a73c38b

SHA1
303154f7c9f1cf49a5a2368275557a1b69a6f46c

SHA256
08f8b30d5ce7ca9d16d031ceb2d9e36931322f98cc5fa00ecb4c5820181c3c30

SHA512
578c8fe797d8b49eee7913090f212223dcfa86d926558be8b0ffc8b8602dc67318aa77dbc1417dc52596fa76e6b1b8b2f9eaba66cd5f2d494b4ceb62488c0c33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
28051a5e11ba029250a20b7271645291

SHA1
ab74756746f343582a6764730ce7f9675cd7c04a

SHA256
d3bddbea5f484079e9abc6bb2f4056d62a91413fb7d664b55b44889cc9b1f68b

SHA512
558848efdbab66607a7978c5beeb79af8c87137299db704278f1f0ceaab5603448a27fefcd6bea16a6592fca87130af9aa2ba70e9da9d95db563ced5e5217df7

Download Submit
\Users\Admin\AppData\Local\Temp\TcpMonitor.exe
MD5
9b653300438290176398ea063b7cd2d1

SHA1
a108da0b9a2f3abc3ef4d0a30bbecdac36a2e950

SHA256
65e4a2b1b291a3dc72958875bbcc8fafcfd11182a518670c54eb9eb4db586b7e

SHA512
74243b83dfea27ceae693618d57d182c85aa3e3d44a1bab821a658e62cfc949a2b1af51bc6c671b4940af25478b736d319deb87007a8aef0e83799ab40e669e3

Download Submit
memory/436-67-0x0000000000000000-mapping.dmp

Download
memory/436-73-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/436-75-0x0000000000471000-0x0000000000472000-memory.dmp

Filesize
4KB

Download
memory/840-65-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/840-64-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/1496-70-0x0000000000000000-mapping.dmp

Download
memory/1864-59-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads