a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e

General

Target

A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Size

146KB
MD5

d35bddd3a36c7f33e086db7464c817a4
SHA1

9e05674466f0935a5b17031a2278f64809878033
SHA256

a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e
SHA512

423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

996 svchost.exe

pid	process
996	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDT = "C:\\ProgramData\\IDT\\svchost.exe"	reg.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1764 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exe

pid process

564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
996 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

996 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.exe

description pid process

Token: SeDebugPrivilege 564 A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Token: SeDebugPrivilege 996 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

996 svchost.exe

flow	ioc
7	api.ipify.org
8	api.ipify.org

pid	process
1764	reg.exe

pid	process
564	A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
996	svchost.exe

pid	process
996	svchost.exe

description	pid	process
Token: SeDebugPrivilege	564	A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
Token: SeDebugPrivilege	996	svchost.exe

pid	process
996	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

A4496847096F3B16C8CC2E743E48DABB687480F096384.exesvchost.execmd.exe

description	pid	process	target process
PID 564 wrote to memory of 996	564	A4496847096F3B16C8CC2E743E48DABB687480F096384.exe	svchost.exe
PID 564 wrote to memory of 996	564	A4496847096F3B16C8CC2E743E48DABB687480F096384.exe	svchost.exe
PID 996 wrote to memory of 1628	996	svchost.exe	cmd.exe
PID 996 wrote to memory of 1628	996	svchost.exe	cmd.exe
PID 1628 wrote to memory of 1764	1628	cmd.exe	reg.exe
PID 1628 wrote to memory of 1764	1628	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe
"C:\Users\Admin\AppData\Local\Temp\A4496847096F3B16C8CC2E743E48DABB687480F096384.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\ProgramData\IDT\svchost.exe
"C:\ProgramData\IDT\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "%PROGRAMDATA%\IDT\svchost.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v IDT /t REG_EXPAND_SZ /d "C:\ProgramData\IDT\svchost.exe" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IDT\svchost.exe
MD5
d35bddd3a36c7f33e086db7464c817a4

SHA1
9e05674466f0935a5b17031a2278f64809878033

SHA256
a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e

SHA512
423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1

Download Submit
C:\ProgramData\IDT\svchost.exe
MD5
d35bddd3a36c7f33e086db7464c817a4

SHA1
9e05674466f0935a5b17031a2278f64809878033

SHA256
a4496847096f3b16c8cc2e743e48dabb687480f096384605f8601aa23dd05a8e

SHA512
423728567736c18ba050bc04116bb9a8615c5a24e89b9f5cc2d815ce778eaaedf17118814e82d5c804fcf2b0fd1bb3aa8e333588b3712ddb690395816752a4e1

Download Submit
memory/564-114-0x00000237465E0000-0x00000237465E1000-memory.dmp

Filesize
4KB

Download
memory/996-129-0x0000022D883F0000-0x0000022D883F2000-memory.dmp

Filesize
8KB

Download
memory/996-121-0x0000022DA2B02000-0x0000022DA2B03000-memory.dmp

Filesize
4KB

Download
memory/996-122-0x0000022D87F50000-0x0000022D87F60000-memory.dmp

Filesize
64KB

Download
memory/996-123-0x0000022D88020000-0x0000022D88044000-memory.dmp

Filesize
144KB

Download
memory/996-126-0x0000022D880F0000-0x0000022D880F3000-memory.dmp

Filesize
12KB

Download
memory/996-127-0x0000022D88390000-0x0000022D88394000-memory.dmp

Filesize
16KB

Download
memory/996-128-0x0000022D883A0000-0x0000022D883A5000-memory.dmp

Filesize
20KB

Download
memory/996-116-0x0000000000000000-mapping.dmp

Download
memory/996-130-0x0000022D89C60000-0x0000022D89CE9000-memory.dmp

Filesize
548KB

Download
memory/996-131-0x0000022D89C20000-0x0000022D89C2C000-memory.dmp

Filesize
48KB

Download
memory/996-132-0x0000022DA2B03000-0x0000022DA2B04000-memory.dmp

Filesize
4KB

Download
memory/1628-124-0x0000000000000000-mapping.dmp

Download
memory/1764-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing