18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891

General

Target

18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
Size

135KB
MD5

48fba897d161a3d734c6aff3119f952a
SHA1

8dd00aec4276f2aaf6de1ba98cc9ffdf209ce420
SHA256

18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891
SHA512

0c072a4f24622f6c1a72722cadfc88b2e4c3417b002889c95b0dc7535681e9e35c5f53ed5c68337e807a0babd6bf488192a92cda2400cc7e5dd7a5919aa257a7

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

targetsdump.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	targetsdump.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 21 IoCs

Processes:

targetsdump.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	targetsdump.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	targetsdump.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	targetsdump.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	targetsdump.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	targetsdump.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	targetsdump.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	targetsdump.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	targetsdump.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	targetsdump.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	targetsdump.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	targetsdump.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 4000ad96914ad701	targetsdump.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	targetsdump.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 4000ad96914ad701	targetsdump.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	targetsdump.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	targetsdump.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

targetsdump.exe

pid process

1564 targetsdump.exe
1564 targetsdump.exe
1564 targetsdump.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe

pid process

1928 18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe

pid	process
1564	targetsdump.exe
1564	targetsdump.exe
1564	targetsdump.exe

pid	process
1928	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe

Suspicious use of UnmapMainImage 4 IoCs

Processes:

18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exetargetsdump.exetargetsdump.exe

pid	process
1072	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
1928	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
1540	targetsdump.exe
1564	targetsdump.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exetargetsdump.exe

description	pid	process	target process
PID 1072 wrote to memory of 1928	1072	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
PID 1072 wrote to memory of 1928	1072	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
PID 1072 wrote to memory of 1928	1072	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
PID 1072 wrote to memory of 1928	1072	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe	18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
PID 1540 wrote to memory of 1564	1540	targetsdump.exe	targetsdump.exe
PID 1540 wrote to memory of 1564	1540	targetsdump.exe	targetsdump.exe
PID 1540 wrote to memory of 1564	1540	targetsdump.exe	targetsdump.exe
PID 1540 wrote to memory of 1564	1540	targetsdump.exe	targetsdump.exe

C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
"C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\18c788edd309a5c15d9163cf016cd9651bf2db15622dcf3c21286b6b7f22f891.exe
--cded26f7
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1928

C:\Windows\SysWOW64\targetsdump.exe
"C:\Windows\SysWOW64\targetsdump.exe"
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\targetsdump.exe
--6c3a520c
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1072-61-0x0000000000220000-0x0000000000231000-memory.dmp

Filesize
68KB

Download
memory/1072-64-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1540-71-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-69-0x0000000000000000-mapping.dmp

Download
memory/1928-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads