24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1

General

Target

5530E8DCB60D0DCC68FE18810BB9E53C.exe
Size

1.6MB
MD5

5530e8dcb60d0dcc68fe18810bb9e53c
SHA1

0addb140b908fd95f1efdc26e9b90975d1b55b9f
SHA256

24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1
SHA512

1c360cb33a8bf968ba492cdad811bc06cd7f4fdb59617b20e902e2254fc2d9bdff6e2ffca3d60f6b6a5310a15e5f2cea0a3aa61b5f93608f2ede64a9dfb8ec24

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

filename.scr

pid process

3636 filename.scr

pid	process
3636	filename.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

5530E8DCB60D0DCC68FE18810BB9E53C.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	5530E8DCB60D0DCC68FE18810BB9E53C.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5530E8DCB60D0DCC68FE18810BB9E53C.exefilename.scr

pid process

3776 5530E8DCB60D0DCC68FE18810BB9E53C.exe
3636 filename.scr

pid	process
3776	5530E8DCB60D0DCC68FE18810BB9E53C.exe
3636	filename.scr

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5530E8DCB60D0DCC68FE18810BB9E53C.exeWScript.exe

description	pid	process	target process
PID 3776 wrote to memory of 1344	3776	5530E8DCB60D0DCC68FE18810BB9E53C.exe	WScript.exe
PID 3776 wrote to memory of 1344	3776	5530E8DCB60D0DCC68FE18810BB9E53C.exe	WScript.exe
PID 3776 wrote to memory of 1344	3776	5530E8DCB60D0DCC68FE18810BB9E53C.exe	WScript.exe
PID 1344 wrote to memory of 3636	1344	WScript.exe	filename.scr
PID 1344 wrote to memory of 3636	1344	WScript.exe	filename.scr
PID 1344 wrote to memory of 3636	1344	WScript.exe	filename.scr

C:\Users\Admin\AppData\Local\Temp\5530E8DCB60D0DCC68FE18810BB9E53C.exe
"C:\Users\Admin\AppData\Local\Temp\5530E8DCB60D0DCC68FE18810BB9E53C.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr
    "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr

MD5
3ce66caa331cbde38b08ac28665057ed

SHA1
65113ab42af92d2888005f77a38f319ae7957583

SHA256
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed

SHA512
40b636c384e7ee469954f160fb2e42daa6fd17ecffc5b694a85c96f4fd8d5b188a1d1e2c715a2f537ebf648c9317e73628bb5dffcb7b4c0669e0b91364dc7b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr

MD5
3ce66caa331cbde38b08ac28665057ed

SHA1
65113ab42af92d2888005f77a38f319ae7957583

SHA256
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed

SHA512
40b636c384e7ee469954f160fb2e42daa6fd17ecffc5b694a85c96f4fd8d5b188a1d1e2c715a2f537ebf648c9317e73628bb5dffcb7b4c0669e0b91364dc7b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs

MD5
639af09046d288faa04e81903466ddac

SHA1
1efdb5d52fed8d7e059cc159b4766c4cca14de95

SHA256
de9447a07c6c194efc30ca2ca03f6d5d64634d573760833b1f585052a590b76e

SHA512
39a0e9af662ce7c94d8d0c1d08e8497845a3ceaa10d59e23ba25c1dcb2f6781ea77a5609321aa74ad6e04cde295926c9297bf72b4d55ac7de25df849ec80592d

Download Submit
memory/1344-117-0x0000000000000000-mapping.dmp

Download
memory/3636-120-0x0000000000000000-mapping.dmp

Download
memory/3776-116-0x0000000000870000-0x0000000000876000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads