9f4e84629acc73ae01dd5eb4670ebd0366dc7aabf465f7013d9e37b7e2349f1b

General

Target

SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe
Size

1.4MB
MD5

b7ba4e82fe9ff22b4ea1372fd0c3a8d1
SHA1

dc4e72d4b4bcc4bc18c7fb915ae7f53bccb2ab52
SHA256

9f4e84629acc73ae01dd5eb4670ebd0366dc7aabf465f7013d9e37b7e2349f1b
SHA512

c888ac83dca3d964c85c9bebf23da312421c687f496b92e9387de863d1c892ce6aff3035b221e6c51661d5a7898990f93cc56dde9837bdd7e37bdc5d8f14bb15

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe"	SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

description pid process

PID 1996 set thread context of 0 1996 SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1740 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

pid process

1996 SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

description	pid	process
PID 1996 set thread context of 0	1996	SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

pid	process
1740	DllHost.exe

pid	process
1996	SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Johnnie.323807.26508.21921.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7pa1X.jpg

MD5
472d5bd3b4c1e2b39e4c528eb2ac5af5

SHA1
beb29bae52b99da51c3436fde0dc7360aa384328

SHA256
dd872138cd8acbe76987659e7d4fcbd5606d3500e4280ea78cefa48ee0969d76

SHA512
3a7b30141133a62a8c3f2759f6931ffff0f16ecf01e44c9524b9c406d4ec94301337cfdd158bce553d0291fbf6bf4ae9abd990a0989e2f66b6b99d41bafff123

Download Submit
memory/0-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1740-64-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1740-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1996-61-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1996-63-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing