77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb

General

Target

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
Size

539KB
MD5

c6f6dbd9cc541857159b379ed0b52e9a
SHA1

9fb25d597eae11b3867e8dd532d536872197782e
SHA256

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb
SHA512

10fa08450a72c59dbb9c18d5ffd8eb156b75e6b67f487fa02765bab7a05e781f028d068f08c823d2a2fd3fd5ce6e06dc48be9f4f3005996ac6ee636be6ed9e52

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Desktop.exenjCrypted.exe

pid process

2036 Desktop.exe
1564 njCrypted.exe

pid	process
2036	Desktop.exe
1564	njCrypted.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exeDesktop.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Desktop.exe

Drops startup file 2 IoCs

Processes:

njCrypted.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	njCrypted.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	njCrypted.exe

Loads dropped DLL 2 IoCs

Processes:

njCrypted.exe

pid process

1564 njCrypted.exe
1564 njCrypted.exe

pid	process
1564	njCrypted.exe
1564	njCrypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

njCrypted.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .."	njCrypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .."	njCrypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

njCrypted.exe

pid process

1564 njCrypted.exe

pid	process
1564	njCrypted.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

njCrypted.exe

description	pid	process
Token: SeDebugPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe
Token: 33	1564	njCrypted.exe
Token: SeIncBasePriorityPrivilege	1564	njCrypted.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.execmd.exeDesktop.exe

description	pid	process	target process
PID 2544 wrote to memory of 3664	2544	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 2544 wrote to memory of 3664	2544	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 2544 wrote to memory of 3664	2544	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 3664 wrote to memory of 2036	3664	cmd.exe	Desktop.exe
PID 3664 wrote to memory of 2036	3664	cmd.exe	Desktop.exe
PID 3664 wrote to memory of 2036	3664	cmd.exe	Desktop.exe
PID 2036 wrote to memory of 1564	2036	Desktop.exe	njCrypted.exe
PID 2036 wrote to memory of 1564	2036	Desktop.exe	njCrypted.exe
PID 2036 wrote to memory of 1564	2036	Desktop.exe	njCrypted.exe

C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
"C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Run.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
Desktop.exe -p123
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
"C:\Users\Admin\AppData\Local\Temp\njCrypted.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 0
1⤵
- Checks processor information in registry
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
MD5
8bb1f98c7477ad78f791fdd456fe2379

SHA1
247056c9eb9741bb383bf056371e0634c94d6e01

SHA256
52c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c

SHA512
8129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desktop.exe
MD5
8bb1f98c7477ad78f791fdd456fe2379

SHA1
247056c9eb9741bb383bf056371e0634c94d6e01

SHA256
52c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c

SHA512
8129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420

Download Submit
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Run.bat
MD5
33aac93bbfac6285ee2343af52e67951

SHA1
b878552b521d0b8f0031b07749221b6d310217d3

SHA256
d81716d88ad01dd36b74fe8b6fbf194f108e8e05f136a5e3e82b68764c414d8f

SHA512
58a7bd40077d4442e79ecc9cb9295cfea3ff9333ff906c6c7a512872ee168acbec7c358213036f2404073cc1bf4b07ec18c454047d47b320f94e528272bdf90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
memory/1564-137-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download
memory/1564-136-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1564-135-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1564-141-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1564-142-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1564-143-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/1564-144-0x0000000000EA0000-0x0000000000F32000-memory.dmp

Filesize
584KB

Download
memory/1564-145-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads