fd39401c01097b075ab3e5ea0e26cac9355bbc197cb15dd003fc1d1f1fc3babe

General

Target

MOT-09800080000.exe
Size

525KB
MD5

bda2eaf80ab5ed6fd1128d4ae02e2f1b
SHA1

12aa26befa0055398748ae12ae0d04f286c565cb
SHA256

ffcf5fb0cd579ec9b9ce49e2b1eafc62f89fdcb5d418e338cd6dab310a241a2d
SHA512

a34e9c827d29efe8dc44296ee3a1dbd2daa59594125372099d6f1219a455c6d5de934848ca098dee50d0f7dfe09ed1db0337b0f1d7063e94749b24dd4b616087

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

MOT-09800080000.exe

pid process

944 MOT-09800080000.exe
944 MOT-09800080000.exe

pid	process
944	MOT-09800080000.exe
944	MOT-09800080000.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MOT-09800080000.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe"	MOT-09800080000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MOT-09800080000.exe

pid process

944 MOT-09800080000.exe
944 MOT-09800080000.exe
944 MOT-09800080000.exe
944 MOT-09800080000.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MOT-09800080000.exe

pid process

944 MOT-09800080000.exe

pid	process
944	MOT-09800080000.exe
944	MOT-09800080000.exe
944	MOT-09800080000.exe
944	MOT-09800080000.exe

pid	process
944	MOT-09800080000.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

MOT-09800080000.exe

description	pid	process	target process
PID 944 wrote to memory of 560	944	MOT-09800080000.exe	MSBuild.exe
PID 944 wrote to memory of 560	944	MOT-09800080000.exe	MSBuild.exe
PID 944 wrote to memory of 560	944	MOT-09800080000.exe	MSBuild.exe
PID 944 wrote to memory of 560	944	MOT-09800080000.exe	MSBuild.exe
PID 944 wrote to memory of 560	944	MOT-09800080000.exe	MSBuild.exe
PID 944 wrote to memory of 620	944	MOT-09800080000.exe	MOT-09800080000.exe
PID 944 wrote to memory of 620	944	MOT-09800080000.exe	MOT-09800080000.exe
PID 944 wrote to memory of 620	944	MOT-09800080000.exe	MOT-09800080000.exe
PID 944 wrote to memory of 620	944	MOT-09800080000.exe	MOT-09800080000.exe

C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe
"C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe
"C:\Users\Admin\AppData\Local\Temp\MOT-09800080000.exe"
2⤵
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d1df0df2.jpg
MD5
4cfc75c00486d8f4e73dd5b94c64f03f

SHA1
1e256a86038d05c040a9f314acb2becbae6dceee

SHA256
9cc293f9694794762c41558fe9da0169d758dd57c02f9a26d9c53b67c3141e79

SHA512
be658f5d7a617527bdc87dcb564562a66bd9e23efcdbc1ad04b20030a51c93b88c9cfccb11f20194472c73d267e1b1466f3b7f85f08f7c1ea729eef31af4d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d0e21f.jpg
MD5
57ae72fb4d5bbe5d4c5c2601d1bef33f

SHA1
6f59e15f178973aefbd37a1d2681912af6f5af9b

SHA256
1111033d9b16af8fea542dd08c0c3c28f310fdf653a4cb5bbf71ee26620820f9

SHA512
11c937c6f5e5ac951b198eb9e9c239ffededae79d5f14dc64f63fae2afa1bf691cc5051737d81ac90a67e493d563219a2c83d656b5febdd98cd3ca7b39d075b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oird.dll
MD5
422cbf45447722c4464030bc4b4b69d3

SHA1
e49c2c126d1a1ff1c5a512f8419d763d6a19c8d1

SHA256
8b58260e509fe875f2efd4920b4ab64ded30f70804d12a073237f2d796448b7f

SHA512
0f7bf833cccca324be767c6eb972b1898dea5027ceb207b976d4c25198209f648c54bb140b7dfb47757256eb86076e07a78c39a86e73d25b4fa331ab90e65320

Download Submit
C:\Users\Admin\AppData\Local\Temp\version.gradle
MD5
984285c6be1bd008248ef52f657b5272

SHA1
9a74b4271e1b6cc0cfb6396c8d21856c6590f5a5

SHA256
2011cedf94f6f2526ba2065f033184c3c789c1ae15e1d5539d51e3c693bff6e7

SHA512
1fa8419873cbfa23e20884728d0287f8d96b995b19f449ddbb217fe851aefed6fc81f1561a5eb2380ffb8fb33d54fdbd71f1d28fa04c2f952e69f3abc12e8bcd

Download Submit
\Users\Admin\AppData\Local\Temp\nsy40B9.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\oird.dll
MD5
422cbf45447722c4464030bc4b4b69d3

SHA1
e49c2c126d1a1ff1c5a512f8419d763d6a19c8d1

SHA256
8b58260e509fe875f2efd4920b4ab64ded30f70804d12a073237f2d796448b7f

SHA512
0f7bf833cccca324be767c6eb972b1898dea5027ceb207b976d4c25198209f648c54bb140b7dfb47757256eb86076e07a78c39a86e73d25b4fa331ab90e65320

Download Submit
memory/944-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/944-58-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing