dualshot | 6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

General

Target

DualShot.exe
Size

19KB
MD5

acb31c8ebe9344ab41bdeec32d952499
SHA1

15dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA256

6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512

e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Score

10^/10

dualshot persistence ransomware

Malware Config

Signatures

DualShot
Ransomware first seen in June 2020.
ransomware dualshot

DualShot Ransomware executable 3 IoCs

Detected known DualShot strings.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\DSNWIN3693.exe	family_dualshot_ransomware
C:\Users\Admin\AppData\Local\DSNWIN3693.exe	family_dualshot_ransomware
C:\Users\Admin\AppData\Local\DSNWIN3693.exe	family_dualshot_ransomware

Executes dropped EXE 2 IoCs

Processes:

DSNWIN3693.exeDSNWIN3693.exe

pid process

1620 DSNWIN3693.exe
1692 DSNWIN3693.exe

pid	process
1620	DSNWIN3693.exe
1692	DSNWIN3693.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DSNWIN3693.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD40317 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN3693.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP78002.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1091508.dat"	DSNWIN3693.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DualShot.exeDSNWIN3693.exe

description pid process

Token: SeDebugPrivilege 1524 DualShot.exe
Token: SeDebugPrivilege 1620 DSNWIN3693.exe

description	pid	process
Token: SeDebugPrivilege	1524	DualShot.exe
Token: SeDebugPrivilege	1620	DSNWIN3693.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DualShot.execmd.exeDSNWIN3693.exe

description	pid	process	target process
PID 1524 wrote to memory of 1620	1524	DualShot.exe	DSNWIN3693.exe
PID 1524 wrote to memory of 1620	1524	DualShot.exe	DSNWIN3693.exe
PID 1524 wrote to memory of 1620	1524	DualShot.exe	DSNWIN3693.exe
PID 1524 wrote to memory of 980	1524	DualShot.exe	cmd.exe
PID 1524 wrote to memory of 980	1524	DualShot.exe	cmd.exe
PID 1524 wrote to memory of 980	1524	DualShot.exe	cmd.exe
PID 980 wrote to memory of 1392	980	cmd.exe	choice.exe
PID 980 wrote to memory of 1392	980	cmd.exe	choice.exe
PID 980 wrote to memory of 1392	980	cmd.exe	choice.exe
PID 1620 wrote to memory of 1692	1620	DSNWIN3693.exe	DSNWIN3693.exe
PID 1620 wrote to memory of 1692	1620	DSNWIN3693.exe	DSNWIN3693.exe
PID 1620 wrote to memory of 1692	1620	DSNWIN3693.exe	DSNWIN3693.exe

C:\Users\Admin\AppData\Local\Temp\DualShot.exe
"C:\Users\Admin\AppData\Local\Temp\DualShot.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\DSNWIN3693.exe
"C:\Users\Admin\AppData\Local\DSNWIN3693.exe" /inin
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\DSNWIN3693.exe
"C:\Users\Admin\AppData\Local\DSNWIN3693.exe" /ainain C:\Users\Admin\AppData\Local\Temp\TMP78002.dat C:\Users\Admin\AppData\Local\Temp\TMP1091508.dat
3⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\cmd.exe
"cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\choice.exe
choice /c Y /n /d Y /t 3
3⤵
PID:1392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DSNWIN3693.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\DSNWIN3693.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\DSNWIN3693.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1091508.dat
MD5
d43f02f020e181bedab13286615d72a5

SHA1
5c4eaf5eaf4e864b29ec46b9ead9f07f10c72d4a

SHA256
b4fe1c93f2973bca08562bbe36eaba31c661961f12811b0878f94e6146897fdd

SHA512
654a6704ab56d59cc413c8b1395c74dace1064243bf25b3380bad1a9f393493c4ea11751d0082ae461e197e69990f64f873d087356b6ab6b4f0abfc14c0adc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP78002.dat
MD5
67dfebc6e650570e59a7b8276f082421

SHA1
9597de4eb95310fa8dfc8450a89319b62dbdc070

SHA256
8ad8f4f90d301f4b7971db095e08acd0c6c1215cc90d439b54533d27c0ae6bd3

SHA512
0580221e291ea727b09e55df338a120f75e8b3e055e99d612286778ac8eb1565709dfd4a075dc604658b8766f42e3262ef888c77c9bb0d14b8e99a884b01141f

Download Submit
memory/980-61-0x0000000000000000-mapping.dmp

Download
memory/1392-62-0x0000000000000000-mapping.dmp

Download
memory/1524-54-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/1620-59-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1620-56-0x0000000000000000-mapping.dmp

Download
memory/1692-63-0x0000000000000000-mapping.dmp

Download
memory/1692-69-0x000000001B390000-0x000000001B392000-memory.dmp

Filesize
8KB

Download
memory/1692-70-0x000000001B396000-0x000000001B3B5000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads