e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf

General

Target

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
Size

3.2MB
MD5

a3caa75210ab96a021512552587e8370
SHA1

5ee6e59dba738cae31c8c933c65fe297c8dce37c
SHA256

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf
SHA512

50c14483e443cf0655556c82184016623485a9b61304e366e3dce080d7ed9b4ca710b100fd40149118e851a8d6c8f64a06964c2322bbc482814a6db07277c42d

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

pid	process
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

pid process

3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

pid	process
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

description	pid	process	target process
PID 3876 wrote to memory of 2776	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe
PID 3876 wrote to memory of 2776	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe
PID 3876 wrote to memory of 2776	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe
PID 3876 wrote to memory of 2788	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe
PID 3876 wrote to memory of 2788	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe
PID 3876 wrote to memory of 2788	3876	e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
"C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:2788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
MD5
54e2eecfd5ac390ca06538251e23058d

SHA1
836255c36b07c6bdea22b60a2e5cf8c9594864f7

SHA256
f5527774caf35537bf88f8e22dc784f467a59e0581b9a27732fc142523fd9c96

SHA512
3a5857ee9ba0b301e826ddbbcafed225e2f86da57ae3226341192f6285995b17b47de8520c2171cdabd898115c9e0365a6df512768001ff3b42157a01b985236

Download Submit
memory/2776-114-0x0000000000000000-mapping.dmp

Download
memory/2788-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads