ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9

General

Target

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
Size

117KB
MD5

72a80f214a15360ea3b4fe3cf38a99cf
SHA1

a00e93071fb481a0606efeac3850997c74fd51a2
SHA256

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9
SHA512

fcea420ccd1325ebda730253c2c325a1843db4365907f32f5f9dd809bcfcd512e8dd3c0644aa25a58c3e80eba9c336b03d11757ce7f95588da63c686f899f3dc

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\툛툦툇퇺퇺툱퇸퇺툨툐퇾퇼툨툧툆\svchost.exe = "0"	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe = "0"	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

Drops file in Windows directory 2 IoCs

Processes:

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\툛툦툇퇺퇺툱퇸퇺툨툐퇾퇼툨툧툆\svchost.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\툛툦툇퇺퇺툱퇸퇺툨툐퇾퇼툨툧툆\svchost.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

888 3716 WerFault.exe ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

pid	pid_target	process	target process
888	3716	WerFault.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
860	powershell.exe
1108	powershell.exe
1332	powershell.exe
1108	powershell.exe
860	powershell.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
1332	powershell.exe
888	WerFault.exe
888	WerFault.exe
1332	powershell.exe
860	powershell.exe
1108	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeRestorePrivilege	888	WerFault.exe
Token: SeBackupPrivilege	888	WerFault.exe
Token: SeDebugPrivilege	888	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

description	pid	process	target process
PID 3716 wrote to memory of 860	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 860	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 860	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1108	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1108	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1108	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1332	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1332	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 1332	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	powershell.exe
PID 3716 wrote to memory of 3636	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
PID 3716 wrote to memory of 3636	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
PID 3716 wrote to memory of 3636	3716	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe	ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe

C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
"C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe"
1⤵
- Windows security modification
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\툛툦툇퇺퇺툱퇸퇺툨툐퇾퇼툨툧툆\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\툛툦툇퇺퇺툱퇸퇺툨툐퇾퇼툨툧툆\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
C:\Users\Admin\AppData\Local\Temp\ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9.exe
2⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 2120
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e8da8ab7e2841f4c4408d699bba36a1d

SHA1
ab8f662e23d8508bc8fa4db900a4079a0b07abd3

SHA256
56d653e8c714010c4f8b2284cb362d29c2e83fc4669033ba76aa19c05e8c3fed

SHA512
08db6f1701711f0e56cbcd56cd11b92b2c934b15b994d2ac27cb9491a1fa3b1484f118c79efdeb025db9214a12e959ae5ee8967ead4d40ebfb31d4fcb2319df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e8da8ab7e2841f4c4408d699bba36a1d

SHA1
ab8f662e23d8508bc8fa4db900a4079a0b07abd3

SHA256
56d653e8c714010c4f8b2284cb362d29c2e83fc4669033ba76aa19c05e8c3fed

SHA512
08db6f1701711f0e56cbcd56cd11b92b2c934b15b994d2ac27cb9491a1fa3b1484f118c79efdeb025db9214a12e959ae5ee8967ead4d40ebfb31d4fcb2319df1

Download Submit
memory/860-164-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download
memory/860-263-0x0000000006BE3000-0x0000000006BE4000-memory.dmp

Filesize
4KB

Download
memory/860-123-0x0000000000000000-mapping.dmp

Download
memory/860-229-0x000000007F460000-0x000000007F461000-memory.dmp

Filesize
4KB

Download
memory/860-167-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/860-140-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/860-161-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/860-158-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/860-127-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/860-156-0x0000000006BE2000-0x0000000006BE3000-memory.dmp

Filesize
4KB

Download
memory/860-130-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/860-154-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/860-146-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/860-142-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/1108-171-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1108-224-0x000000007E880000-0x000000007E881000-memory.dmp

Filesize
4KB

Download
memory/1108-260-0x0000000006AA3000-0x0000000006AA4000-memory.dmp

Filesize
4KB

Download
memory/1108-124-0x0000000000000000-mapping.dmp

Download
memory/1108-136-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/1108-129-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1108-153-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/1108-132-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1108-155-0x0000000006AA2000-0x0000000006AA3000-memory.dmp

Filesize
4KB

Download
memory/1332-133-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1332-157-0x00000000046D2000-0x00000000046D3000-memory.dmp

Filesize
4KB

Download
memory/1332-128-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1332-152-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/1332-131-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1332-125-0x0000000000000000-mapping.dmp

Download
memory/1332-168-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1332-267-0x00000000046D3000-0x00000000046D4000-memory.dmp

Filesize
4KB

Download
memory/1332-188-0x0000000008F30000-0x0000000008F63000-memory.dmp

Filesize
204KB

Download
memory/1332-225-0x000000007F370000-0x000000007F371000-memory.dmp

Filesize
4KB

Download
memory/1332-149-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/3716-126-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/3716-138-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/3716-122-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3716-115-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3716-121-0x00000000058E0000-0x0000000005940000-memory.dmp

Filesize
384KB

Download
memory/3716-120-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3716-117-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads