cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e

General

Target

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Size

32KB
MD5

d7a713e57405859e14321f8bebd9916b
SHA1

d2de0e59242a540a633a4ce8be7e7310b0eca618
SHA256

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e
SHA512

ae51405fb97d3ec289d5f033b7dde2d7cd27acc6a51b8000fe426b4cbf0c37f38c11e7524012e6da4736746e30aa4d4fee15f7adfd2dea59b9305b4af43d805b

Score

10^/10

persistence themida

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,c:\\Windows\\bfsvcm.exe,"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/740-55-0x0000000000400000-0x000000000041B3BE-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\Windows\\notepad.exe\" c:\\ReadMe.TxT"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "To recover files, follow the prompts in the text file \"Readme\""	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Hacked = "F182KCSWOTQG32Lb"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention!!! Your files are encrypted !!!"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

Drops file in Windows directory 2 IoCs

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

description	ioc	process
File created	\??\c:\Windows\bfsvcm.exe	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
File opened for modification	\??\c:\Windows\bfsvcm.exe	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1684 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1392 taskkill.exe

pid	process
1684	tasklist.exe

pid	process
1392	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1684 tasklist.exe
Token: SeDebugPrivilege 1392 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1684	tasklist.exe
Token: SeDebugPrivilege	1392	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 1356	740	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe	cmd.exe
PID 740 wrote to memory of 1356	740	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe	cmd.exe
PID 740 wrote to memory of 1356	740	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe	cmd.exe
PID 740 wrote to memory of 1356	740	cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe	cmd.exe
PID 1356 wrote to memory of 1456	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1456	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1456	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1456	1356	cmd.exe	cmd.exe
PID 1456 wrote to memory of 1684	1456	cmd.exe	tasklist.exe
PID 1456 wrote to memory of 1684	1456	cmd.exe	tasklist.exe
PID 1456 wrote to memory of 1684	1456	cmd.exe	tasklist.exe
PID 1456 wrote to memory of 1684	1456	cmd.exe	tasklist.exe
PID 1356 wrote to memory of 1468	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1468	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1468	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1468	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1480	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1480	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1480	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1480	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1280	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1280	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1280	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1280	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1524	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1524	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1524	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1524	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1460	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1460	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1460	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1460	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 1476	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1476	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1476	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1476	1356	cmd.exe	find.exe
PID 1356 wrote to memory of 1392	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 1392	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 1392	1356	cmd.exe	taskkill.exe
PID 1356 wrote to memory of 1392	1356	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
"C:\Users\Admin\AppData\Local\Temp\cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 2046510897" /FO CSV
3⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "WINDOWTITLE eq 2046510897" /FO CSV
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe:/FO CSV') Do (Echo :"
3⤵
PID:1468

C:\Windows\SysWOW64\find.exe
Find /I ":%~p:"
3⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo :"
3⤵
PID:1280

C:\Windows\SysWOW64\find.exe
Find /I ":%~p:"
3⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo :"
3⤵
PID:1460

C:\Windows\SysWOW64\find.exe
Find /I ":):"
3⤵
PID:1476

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM ")"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\W.bat
MD5
2a4b2d3b1ca3969cb3eaf23c01f333c2

SHA1
f64746a1675ecda48d70b440573d79e6ac5fad42

SHA256
8eb86b8e9a5e1f7d970d1608f6e8bdcbc1f9b7faa20ea157325f54d3a4d82fbb

SHA512
a0f9cb09f68f8bb7b99ca96caebb1cd63aa9bae02f012569561cde1dd332898596e9182cc9e12d34906c629198ff996525c335f75b0ff934139c1d03ecc1fc8d

Download Submit
memory/740-65-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/740-62-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/740-66-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/740-61-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/740-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/740-63-0x0000000000230000-0x000000000025D000-memory.dmp

Filesize
180KB

Download
memory/740-64-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/740-68-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/740-59-0x0000000001FC0000-0x000000000205F000-memory.dmp

Filesize
636KB

Download
memory/740-57-0x0000000000400000-0x000000000041B3BE-memory.dmp

Filesize
108KB

Download
memory/740-55-0x0000000000400000-0x000000000041B3BE-memory.dmp

Filesize
108KB

Download
memory/740-60-0x0000000002470000-0x000000000259D000-memory.dmp

Filesize
1.2MB

Download
memory/740-69-0x00000000004D0000-0x00000000004EF000-memory.dmp

Filesize
124KB

Download
memory/740-70-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/740-71-0x0000000002780000-0x0000000002889000-memory.dmp

Filesize
1.0MB

Download
memory/740-72-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/740-56-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads