0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a

General

Target

0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
Size

202KB
MD5

beaf5e523e8e3e3fb9dc2a361cda0573
SHA1

b038caeed3466c07c5f473bfd6c5bd11e5afccf1
SHA256

0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a
SHA512

f0692ff4b5b2278952806b183246a96077c893d2487c5023b56bbccfbd8d16f09dd9394aae8cc71d33ad8b3d9474f4e7825bcccc0f24029eaa753d131fc8a683

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

Processes:

turnedadmin.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	turnedadmin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	turnedadmin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	turnedadmin.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	turnedadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

turnedadmin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	turnedadmin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	turnedadmin.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	turnedadmin.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exeturnedadmin.exeturnedadmin.exe

pid	process
4568	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
4568	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
4964	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
4964	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
3340	turnedadmin.exe
3340	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe
64	turnedadmin.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe

pid process

4964 0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe

pid	process
4964	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exeturnedadmin.exe

description	pid	process	target process
PID 4568 wrote to memory of 4964	4568	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
PID 4568 wrote to memory of 4964	4568	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
PID 4568 wrote to memory of 4964	4568	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe	0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
PID 3340 wrote to memory of 64	3340	turnedadmin.exe	turnedadmin.exe
PID 3340 wrote to memory of 64	3340	turnedadmin.exe	turnedadmin.exe
PID 3340 wrote to memory of 64	3340	turnedadmin.exe	turnedadmin.exe

C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
"C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe
"C:\Users\Admin\AppData\Local\Temp\0fe713faf94bed3424ce7c7ac576db24cbb50e989f87b6844865971aed98b24a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:4964

C:\Windows\SysWOW64\turnedadmin.exe
"C:\Windows\SysWOW64\turnedadmin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\turnedadmin.exe
"C:\Windows\SysWOW64\turnedadmin.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-134-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4568-130-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/4568-131-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4964-132-0x0000000002040000-0x0000000002052000-memory.dmp

Filesize
72KB

Download
memory/4964-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads