dualshot | 6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

General

Target

DualShot.exe
Size

19KB
MD5

acb31c8ebe9344ab41bdeec32d952499
SHA1

15dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA256

6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512

e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Score

10^/10

dualshot persistence ransomware

Malware Config

Signatures

DualShot
Ransomware first seen in June 2020.
ransomware dualshot

DualShot Ransomware executable 3 IoCs

Detected known DualShot strings.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\DSNWIN1743.exe	family_dualshot_ransomware
C:\Users\Admin\AppData\Local\DSNWIN1743.exe	family_dualshot_ransomware
C:\Users\Admin\AppData\Local\DSNWIN1743.exe	family_dualshot_ransomware

Executes dropped EXE 2 IoCs

Processes:

DSNWIN1743.exeDSNWIN1743.exe

pid process

3876 DSNWIN1743.exe
1688 DSNWIN1743.exe

pid	process
3876	DSNWIN1743.exe
1688	DSNWIN1743.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DSNWIN1743.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD25128 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN1743.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP44190.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1081718.dat"	DSNWIN1743.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DualShot.exeDSNWIN1743.exe

description pid process

Token: SeDebugPrivilege 3496 DualShot.exe
Token: SeDebugPrivilege 3876 DSNWIN1743.exe

description	pid	process
Token: SeDebugPrivilege	3496	DualShot.exe
Token: SeDebugPrivilege	3876	DSNWIN1743.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DualShot.execmd.exeDSNWIN1743.exe

description	pid	process	target process
PID 3496 wrote to memory of 3876	3496	DualShot.exe	DSNWIN1743.exe
PID 3496 wrote to memory of 3876	3496	DualShot.exe	DSNWIN1743.exe
PID 3496 wrote to memory of 372	3496	DualShot.exe	cmd.exe
PID 3496 wrote to memory of 372	3496	DualShot.exe	cmd.exe
PID 372 wrote to memory of 1196	372	cmd.exe	choice.exe
PID 372 wrote to memory of 1196	372	cmd.exe	choice.exe
PID 3876 wrote to memory of 1688	3876	DSNWIN1743.exe	DSNWIN1743.exe
PID 3876 wrote to memory of 1688	3876	DSNWIN1743.exe	DSNWIN1743.exe

C:\Users\Admin\AppData\Local\Temp\DualShot.exe
"C:\Users\Admin\AppData\Local\Temp\DualShot.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\DSNWIN1743.exe
"C:\Users\Admin\AppData\Local\DSNWIN1743.exe" /inin
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\DSNWIN1743.exe
"C:\Users\Admin\AppData\Local\DSNWIN1743.exe" /ainain C:\Users\Admin\AppData\Local\Temp\TMP44190.dat C:\Users\Admin\AppData\Local\Temp\TMP1081718.dat
3⤵
- Executes dropped EXE
PID:1688

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\choice.exe
choice /c Y /n /d Y /t 3
3⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DSNWIN1743.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\DSNWIN1743.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\DSNWIN1743.exe
MD5
acb31c8ebe9344ab41bdeec32d952499

SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0

SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe

SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP1081718.dat
MD5
6b1a8629e01b38053e17762d4e4ad4f7

SHA1
b8d0c36b11039c152fd663ca3b6a9091fe4b662a

SHA256
0004940cb88d7f09bb7ffd22a15379f45ee24db306e315a71ecee857513a6d9e

SHA512
be83697368954ccf93961e17c8bc8b13e92f52a10d8f74c9c5a5e835688a3b5c2e12ee7fabd783ba610416c1189b529d4d75292762e5f92c9f035dd77ab8f67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP44190.dat
MD5
4721d8c5a1c9d8a635375a3d47b0afe8

SHA1
47df51d15e3a9f4128b64b271db847eb84f196b7

SHA256
b85e19007e59603620568f7ca8763d121930a3dface8a8ef0ba05b89eec80e7d

SHA512
ddc3bb6d67b8dce1fc4083368c692a52f1fe2d2b6a41073f87000d59cdd9bcd0f155225e27941848b60c61f7e7a8e5151aa6ba40773a7111131cb4e2e6a18676

Download Submit
memory/372-122-0x0000000000000000-mapping.dmp

Download
memory/1196-123-0x0000000000000000-mapping.dmp

Download
memory/1688-124-0x0000000000000000-mapping.dmp

Download
memory/1688-130-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1688-131-0x000000001B0A2000-0x000000001B0A4000-memory.dmp

Filesize
8KB

Download
memory/3496-115-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3876-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads