4f5eb87739916022c23a6291aaac32e86cef1d92cd9bcf67ec0ed357f1672ca1

General

Target

1cd60e5192988ae5841a861ef8c45a61.exe
Size

643KB
MD5

1cd60e5192988ae5841a861ef8c45a61
SHA1

3c6fe7b6885dadd5820710082b5e07f0f0c31a8f
SHA256

4f5eb87739916022c23a6291aaac32e86cef1d92cd9bcf67ec0ed357f1672ca1
SHA512

dff8d5c7c0e10deed78f911e8e4b4b0ef9e5d94ea8d85777c3711efb7fefc5f5dd93eb0589b60c92d0cf1962eccac810cd4d2a0aa87ec1e9a1bd350b17e07442

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1cd60e5192988ae5841a861ef8c45a61.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1cd60e5192988ae5841a861ef8c45a61.exe\""	1cd60e5192988ae5841a861ef8c45a61.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

184 schtasks.exe
1588 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1cd60e5192988ae5841a861ef8c45a61.exe

description pid process

Token: SeDebugPrivilege 1892 1cd60e5192988ae5841a861ef8c45a61.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1cd60e5192988ae5841a861ef8c45a61.exe

pid process

1892 1cd60e5192988ae5841a861ef8c45a61.exe

flow	ioc
11	ip-api.com

pid	process
184	schtasks.exe
1588	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1892	1cd60e5192988ae5841a861ef8c45a61.exe

pid	process
1892	1cd60e5192988ae5841a861ef8c45a61.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1cd60e5192988ae5841a861ef8c45a61.exe

description	pid	process	target process
PID 1892 wrote to memory of 184	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe
PID 1892 wrote to memory of 184	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe
PID 1892 wrote to memory of 184	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe
PID 1892 wrote to memory of 1588	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe
PID 1892 wrote to memory of 1588	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe
PID 1892 wrote to memory of 1588	1892	1cd60e5192988ae5841a861ef8c45a61.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
"C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SecurityHealthSystray" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe" /sc MINUTE /MO 1
2⤵
- Creates scheduled task(s)
PID:1588

C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
1⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
C:\Users\Admin\AppData\Local\Temp\1cd60e5192988ae5841a861ef8c45a61.exe
1⤵
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cd60e5192988ae5841a861ef8c45a61.exe.log
MD5
10ecf495fafaaeb7fdea5c8033a0fc87

SHA1
e81a0c0415cf5b13e58319e82e07f1ed5c10e491

SHA256
aaff4d50d7258fd2a5f8e6d073b6d32925d392b9f37209180f469a11d46a63b9

SHA512
87928fcbddafe42764db1de846b0349ceeb08b0af6ee190b0e4076a63c32e20a826a7e76b55f6a6786c69f3c1fc04e8e030bc1ad69c523c96b27cf75a78e53e0

Download Submit
memory/184-122-0x0000000000000000-mapping.dmp

Download
memory/1096-129-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1588-124-0x0000000000000000-mapping.dmp

Download
memory/1892-118-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1892-120-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/1892-121-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/1892-119-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1892-123-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1892-114-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1892-117-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1892-116-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2104-142-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/4016-136-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads