7320b115d96ae0e50fe44d8600bd0bd68e2fac3bb4604f8f333f04e247c301bd

General

Target

2320900000000.exe
Size

494KB
MD5

b17442f88ff7c42751412f361e99b4f6
SHA1

483b3ad59a7c1f96c277d1a753a588f3fc8f4c6f
SHA256

7320b115d96ae0e50fe44d8600bd0bd68e2fac3bb4604f8f333f04e247c301bd
SHA512

6b29abb8791d0772d1b358459528121871a1be043f3a3ee60d4da5df3bdb74fc93239c0f41f88432327111323ce13534d1fb35631393bd7d9ab7720c00d5e45b

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

2320900000000.exe

pid process

916 2320900000000.exe
916 2320900000000.exe

pid	process
916	2320900000000.exe
916	2320900000000.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2320900000000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\xmalmtehdauows = "C:\\Users\\Admin\\AppData\\Roaming\\bnqw\\amve.exe"	2320900000000.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

2320900000000.exe

description pid process target process

PID 916 set thread context of 1792 916 2320900000000.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

2320900000000.exeMSBuild.exe

pid process

916 2320900000000.exe
916 2320900000000.exe
916 2320900000000.exe
916 2320900000000.exe
1792 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2320900000000.exe

pid process

916 2320900000000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1792 MSBuild.exe

flow	ioc
6	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app

description	pid	process	target process
PID 916 set thread context of 1792	916	2320900000000.exe	MSBuild.exe

pid	process
916	2320900000000.exe
916	2320900000000.exe
916	2320900000000.exe
916	2320900000000.exe
1792	MSBuild.exe

pid	process
916	2320900000000.exe

description	pid	process
Token: SeDebugPrivilege	1792	MSBuild.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2320900000000.exe

description	pid	process	target process
PID 916 wrote to memory of 1792	916	2320900000000.exe	MSBuild.exe
PID 916 wrote to memory of 1792	916	2320900000000.exe	MSBuild.exe
PID 916 wrote to memory of 1792	916	2320900000000.exe	MSBuild.exe
PID 916 wrote to memory of 1792	916	2320900000000.exe	MSBuild.exe
PID 916 wrote to memory of 1792	916	2320900000000.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\2320900000000.exe
"C:\Users\Admin\AppData\Local\Temp\2320900000000.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\2320900000000.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsc75FC.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsc75FC.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1792-63-0x000000000044284E-mapping.dmp

Download
memory/1792-65-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing