fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504

General

Target

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
Size

287KB
MD5

3a7cf1131fb5d7b200d76884a27d17e2
SHA1

dcb545a6f61c545a47079c4be5b75d7f2e7ff8b6
SHA256

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504
SHA512

f4af3e0c00fee64aa9a388f6b1d9b304fad2fd97402c1f579c746885f3751d94dac3f1573374392ec904c82d88a0fec8b3acd290a3d299204dbcc7f9438cca9a

Score

8^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockWatch.tif => C:\Users\Admin\Pictures\BlockWatch.tif..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File renamed	C:\Users\Admin\Pictures\CompareUpdate.tif => C:\Users\Admin\Pictures\CompareUpdate.tif..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File renamed	C:\Users\Admin\Pictures\ExitClose.png => C:\Users\Admin\Pictures\ExitClose.png..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File renamed	C:\Users\Admin\Pictures\SelectUpdate.png => C:\Users\Admin\Pictures\SelectUpdate.png..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File renamed	C:\Users\Admin\Pictures\SkipUnpublish.tif => C:\Users\Admin\Pictures\SkipUnpublish.tif..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File renamed	C:\Users\Admin\Pictures\UpdateResume.crw => C:\Users\Admin\Pictures\UpdateResume.crw..726	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Public\\fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe"	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

description	ioc	process
File opened for modification	C:\Users\Public\Music\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

description	pid	process	target process
PID 1488 set thread context of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Drops file in Program Files directory 64 IoCs

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pt-BR.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_cs.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_uk.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hr.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ur.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_te.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_zh-CN.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\psuser.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sv.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_et.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_is.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pl.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_vi.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_en.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\psuser_64.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\psmachine.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_es-419.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ms.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_th.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_iw.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ru.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_gu.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ca.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Google\Update\Install\{D36A04EE-33F2-4199-8863-BB9931AE6C74}\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_kn.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ml.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Google\Update\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fi.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hi.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_tr.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bn.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ko.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fa.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_id.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sl.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_en-GB.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fil.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_nl.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RECOVER-FILES-726.html	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_am.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ta.dll	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

pid	process
2992	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
2992	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exefe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 1488 wrote to memory of 2992	1488	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
PID 2992 wrote to memory of 1212	2992	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	cmd.exe
PID 2992 wrote to memory of 1212	2992	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	cmd.exe
PID 2992 wrote to memory of 1212	2992	fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe	cmd.exe
PID 1212 wrote to memory of 2152	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 2152	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 2152	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 3260	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 3260	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 3260	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 2272	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 2272	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 2272	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1852	1212	cmd.exe	attrib.exe
PID 1212 wrote to memory of 1852	1212	cmd.exe	attrib.exe
PID 1212 wrote to memory of 1852	1212	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1852 attrib.exe

pid	process
1852	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
"C:\Users\Admin\AppData\Local\Temp\fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe
"C:\Users\Admin\AppData\Local\Temp\fe5d565b1f7b0a5b25edf491dafb826ab4270d99e574ba716baa99fd224aa504.exe"
2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\__t577A.tmp.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
4⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
4⤵
PID:3260

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
4⤵
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib Default.rdp -s -h
4⤵
- Views/modifies file attributes
PID:1852

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe e14b1fbe0b66a7edd78b2425d671ca6a 7s8fIIQQMEmz3ID6MaZggQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__t577A.tmp.bat
MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
memory/1488-133-0x0000000000690000-0x00000000006D1000-memory.dmp

Filesize
260KB

Download
memory/2992-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2992-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads