8a33e2792e0d41c6b99a1203187f650fa16a7a0c187938457bc526526f13b5c2

Resubmissions

25-08-2021 09:56

210825-v7gpzzrw7s 10

27-04-2021 14:41

210427-hta8ys4aka 10

Analysis

max time kernel
8s
max time network
9s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

therapeutic-rule.exe
Size

170KB
MD5

fc080fae536e8801a2f3400804f2734b
SHA1

0d79a4ebbc04b7abc268b76068335e0dd581abb4
SHA256

8a33e2792e0d41c6b99a1203187f650fa16a7a0c187938457bc526526f13b5c2
SHA512

0fc4740cd0601d2b382625a940e3d68479fca6fefefd5421b7c72a9739d0ee3676c3278866a7eb1aec49dc3102ea712fa40f11fcb33f5e7b4c784d3ae14ccd01

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\therapeutic-rule.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

therapeutic-rule.exe

pid process

804 therapeutic-rule.exe
804 therapeutic-rule.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

therapeutic-rule.exe

description pid process

Token: SeDebugPrivilege 804 therapeutic-rule.exe

pid	process
804	therapeutic-rule.exe
804	therapeutic-rule.exe

description	pid	process
Token: SeDebugPrivilege	804	therapeutic-rule.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

therapeutic-rule.execmd.exe

description	pid	process	target process
PID 804 wrote to memory of 3700	804	therapeutic-rule.exe	cmd.exe
PID 804 wrote to memory of 3700	804	therapeutic-rule.exe	cmd.exe
PID 804 wrote to memory of 2348	804	therapeutic-rule.exe	sihost.exe
PID 3700 wrote to memory of 3592	3700	cmd.exe	reg.exe
PID 3700 wrote to memory of 3592	3700	cmd.exe	reg.exe
PID 804 wrote to memory of 2356	804	therapeutic-rule.exe	svchost.exe
PID 804 wrote to memory of 2500	804	therapeutic-rule.exe	taskhostw.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2356

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe
"C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe" /f
3⤵
- Adds Run key to start application
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3592-115-0x0000000000000000-mapping.dmp

Download
memory/3700-114-0x0000000000000000-mapping.dmp

Download