72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9

General

Target

72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe
Size

480KB
MD5

b732597a08ef31189fb7f7a724838011
SHA1

f7eba74fafe1bf5f4ff9968f8d2ab3fc1627fe44
SHA256

72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9
SHA512

07bf492a15c45d03ee84a92b0651987f368165f0c51c6501eeff0fc4305462624c23f635fd2ec4102322bfab47d07f2178699c5e1621e46187df108f331a97a4

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

Processes:

wscript.exe

flow pid process

3 560 wscript.exe
4 560 wscript.exe
5 560 wscript.exe
6 560 wscript.exe
7 560 wscript.exe
8 560 wscript.exe
9 560 wscript.exe
10 560 wscript.exe

flow	pid	process
3	560	wscript.exe
4	560	wscript.exe
5	560	wscript.exe
6	560	wscript.exe
7	560	wscript.exe
8	560	wscript.exe
9	560	wscript.exe
10	560	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.execmd.exe

description	pid	process	target process
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 892 wrote to memory of 432	892	72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe	cmd.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe
PID 432 wrote to memory of 560	432	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe
"C:\Users\Admin\AppData\Local\Temp\72bf41aca0aa970314f2b66871261e5bd7ac921c7c1ab888dac714d0c7fadbe9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dim.rem.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\wscript.exe
    wscript /e:JScript "C:\Users\Admin\Di-Li"
    3⤵
    - Blocklisted process makes network request
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dim.rem.cmd

Filesize
365B

MD5
3a386b82dedb9adefe46c3c54c68f868

SHA1
4124c17ed6275939489e8e12a106c9af320bde71

SHA256
8649c5b929675a25ac002d6babd2bc50e1c6d8a7fa662af3b8af860591e4b06a

SHA512
43e87f95fd0772761e32abd53e9557ab5b0c11829a79a8491ed7298690a8a14b033a08202da2695990e653f0bdc00c724113fb5a2812324431faafc4b1fe3285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\norma.jean

Filesize
838KB

MD5
476ab582a630992490f5b91d759050bb

SHA1
7033381a21e50c491b57be24ec77ca357a7bdce6

SHA256
92374bbc1a22f55b5bc75cba1f91c8bc3913afa217878500285cd6ed9a7908d0

SHA512
2d9dee5f57d5f19096d32e1d648e2108936e54d6812b99cf49ef51ff2e9a396c7bb98d967dbed835efc507b4a4bae03d261dd16e077f1f12461fd57416a8f40e

Download Submit
C:\Users\Admin\Di-Li

Filesize
838KB

MD5
476ab582a630992490f5b91d759050bb

SHA1
7033381a21e50c491b57be24ec77ca357a7bdce6

SHA256
92374bbc1a22f55b5bc75cba1f91c8bc3913afa217878500285cd6ed9a7908d0

SHA512
2d9dee5f57d5f19096d32e1d648e2108936e54d6812b99cf49ef51ff2e9a396c7bb98d967dbed835efc507b4a4bae03d261dd16e077f1f12461fd57416a8f40e

Download Submit
memory/432-55-0x0000000000000000-mapping.dmp

Download
memory/560-59-0x0000000000000000-mapping.dmp

Download
memory/892-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing