d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612

General

Target

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Size

116KB
MD5

1dc550eaf37331a8febe5d9f4176269e
SHA1

d77c9d5d3e916bbf97f33aeca8eadad8b517e68c
SHA256

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612
SHA512

b35b55c550ec583bf71554872e1410aac9ad1ef7711491f168069c229f56e19fb00712a2a7b1e4552ecb7905ca5ab12482ab2e071079de004cd5cb89c7ad4d85

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,c:\\Windows\\bfsvcm.exe,"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\Windows\\notepad.exe\" c:\\ReadMe.TxT"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Hacked = "RK227FcEKTcTGRUC"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention!!! Your files are encrypted !!!"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "To recover files, follow the prompts in the text file \"Readme\""	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

Drops file in Windows directory 2 IoCs

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

description	ioc	process
File opened for modification	\??\c:\Windows\bfsvcm.exe	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
File created	\??\c:\Windows\bfsvcm.exe	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1356 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1796 taskkill.exe

pid	process
1356	tasklist.exe

pid	process
1796	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1356 tasklist.exe
Token: SeDebugPrivilege 1796 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeDebugPrivilege	1796	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.execmd.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 1368	1396	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe	cmd.exe
PID 1396 wrote to memory of 1368	1396	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe	cmd.exe
PID 1396 wrote to memory of 1368	1396	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe	cmd.exe
PID 1396 wrote to memory of 1368	1396	d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe	cmd.exe
PID 1368 wrote to memory of 1360	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1360	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1360	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1360	1368	cmd.exe	cmd.exe
PID 1360 wrote to memory of 1356	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 1356	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 1356	1360	cmd.exe	tasklist.exe
PID 1360 wrote to memory of 1356	1360	cmd.exe	tasklist.exe
PID 1368 wrote to memory of 620	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 620	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 620	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 620	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 432	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 432	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 432	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 432	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1160	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1160	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1160	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1160	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1148	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1148	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1148	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1148	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1140	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1140	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1140	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1140	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1172	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1172	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1172	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1172	1368	cmd.exe	find.exe
PID 1368 wrote to memory of 1796	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1796	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1796	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1796	1368	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
"C:\Users\Admin\AppData\Local\Temp\d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 32003784" /FO CSV
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq 32003784" /FO CSV
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe:/FO CSV') Do (Echo :"
3⤵
PID:620

C:\Windows\SysWOW64\find.exe
Find /I ":%~p:"
3⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo :"
3⤵
PID:1160

C:\Windows\SysWOW64\find.exe
Find /I ":%~p:"
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo :"
3⤵
PID:1140

C:\Windows\SysWOW64\find.exe
Find /I ":):"
3⤵
PID:1172

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM ")"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\W.bat
MD5
62fa10e1e6f750ca1d2e5ca28aa1fa02

SHA1
c2045eb954e6f5ce13e7c585539eb80f991ff789

SHA256
a1f21c9b3f9166480632b403660db82b92dc688abce20638f4a9962da7f5bf19

SHA512
5377bb73316581c4794227c0efd1914cb525a355bfd2c64e5be88014984dc1411366800cbc4281d91b6b78dcda0cf71478020d0a420a294a1204c5f508571898

Download Submit
memory/1396-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1396-55-0x0000000001DB0000-0x0000000001E79000-memory.dmp

Filesize
804KB

Download
memory/1396-59-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1396-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1396-58-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1396-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1396-57-0x0000000001F30000-0x000000000205D000-memory.dmp

Filesize
1.2MB

Download
memory/1396-62-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/1396-63-0x0000000002640000-0x0000000002749000-memory.dmp

Filesize
1.0MB

Download
memory/1396-64-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads