1a693036899a05dbbb83fb29c1487f2e43fd5bb7d8d01e3bea84166aa331f998

General

Target

4701556.exe
Size

46KB
MD5

1d095bc417db73c6bc6e4c4e7b43106f
SHA1

db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256

b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA512

3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WinHoster.exe

pid process

1980 WinHoster.exe
Loads dropped DLL 1 IoCs

Processes:

4701556.exe

pid process

856 4701556.exe

pid	process
1980	WinHoster.exe

pid	process
856	4701556.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4701556.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	4701556.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4701556.exe

description	pid	process	target process
PID 856 wrote to memory of 1980	856	4701556.exe	WinHoster.exe
PID 856 wrote to memory of 1980	856	4701556.exe	WinHoster.exe
PID 856 wrote to memory of 1980	856	4701556.exe	WinHoster.exe
PID 856 wrote to memory of 1980	856	4701556.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\4701556.exe
"C:\Users\Admin\AppData\Local\Temp\4701556.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
2⤵
- Executes dropped EXE
PID:1980

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
memory/856-60-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/856-62-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download
memory/1980-67-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1980-70-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing