b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3

General

Target

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
Size

1.5MB
MD5

fe7c13445868482b63e1ae71bca9d150
SHA1

78111d52ba0215bb531d487bc6e9a218ea768377
SHA256

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3
SHA512

c1a2bc27e1381f6ed142ffb8a6cdb0006a9161433dbb9222f83ec407cf0bb5510f9986108b4e96c4a3d0dd30659cc48baec96b9ca962082c64c0fcbcc8c0879c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

680 Decoder.exe
58784 systems32.exe

pid	process
680	Decoder.exe
58784	systems32.exe

Drops startup file 2 IoCs

Processes:

Decoder.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows driver update.exe	Decoder.exe

Loads dropped DLL 1 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid process

1944 b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid	process
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1492 schtasks.exe
58876 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1300 timeout.exe
1424 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Decoder.exesystems32.exe

pid process

680 Decoder.exe
58784 systems32.exe

pid	process
1492	schtasks.exe
58876	schtasks.exe

pid	process
1300	timeout.exe
1424	timeout.exe

pid	process
680	Decoder.exe
58784	systems32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exeDecoder.exesystems32.exe

description	pid	process
Token: SeDebugPrivilege	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
Token: SeDebugPrivilege	680	Decoder.exe
Token: SeDebugPrivilege	58784	systems32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

pid process

1944 b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.execmd.execmd.exeDecoder.exetaskeng.exesystems32.exe

description	pid	process	target process
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	Decoder.exe
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	Decoder.exe
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	Decoder.exe
PID 1944 wrote to memory of 680	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	Decoder.exe
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 572	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 1944 wrote to memory of 668	1944	b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe	cmd.exe
PID 668 wrote to memory of 1424	668	cmd.exe	timeout.exe
PID 668 wrote to memory of 1424	668	cmd.exe	timeout.exe
PID 668 wrote to memory of 1424	668	cmd.exe	timeout.exe
PID 668 wrote to memory of 1424	668	cmd.exe	timeout.exe
PID 572 wrote to memory of 1300	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 1300	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 1300	572	cmd.exe	timeout.exe
PID 572 wrote to memory of 1300	572	cmd.exe	timeout.exe
PID 680 wrote to memory of 1492	680	Decoder.exe	schtasks.exe
PID 680 wrote to memory of 1492	680	Decoder.exe	schtasks.exe
PID 680 wrote to memory of 1492	680	Decoder.exe	schtasks.exe
PID 58492 wrote to memory of 58784	58492	taskeng.exe	systems32.exe
PID 58492 wrote to memory of 58784	58492	taskeng.exe	systems32.exe
PID 58492 wrote to memory of 58784	58492	taskeng.exe	systems32.exe
PID 58784 wrote to memory of 58876	58784	systems32.exe	schtasks.exe
PID 58784 wrote to memory of 58876	58784	systems32.exe	schtasks.exe
PID 58784 wrote to memory of 58876	58784	systems32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe
"C:\Users\Admin\AppData\Local\Temp\b6b855bda533fefd81c9a7ca8929e52b1b79be7b5e4c4d9fb494392a2c4d8db3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4358.tmp.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1424

C:\Windows\system32\taskeng.exe
taskeng.exe {AEFC3BE6-3227-4BCC-B77D-8A57490156DC} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:58492

C:\systems32_bit\systems32.exe
\systems32_bit\systems32.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:58784

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Services" /tr "\systems32_bit\systems32.exe" /f
3⤵
- Creates scheduled task(s)
PID:58876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\ProgramData\Decoder.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
28B

MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4358.tmp.cmd
Filesize
131B

MD5
d24fa10befdf8e5043f12632665a7990

SHA1
62cdfcaaafb90897ae1b955e13a372b3b0de50de

SHA256
9ae02fe424ba041c4e2e99496bb163d4d2209e1ffa081f8f07d742c272803d20

SHA512
4e849cda458fa88b2643795e850fe12a80369e1d7e854761786dcbdd0e51c5a2b3f42d7bde78381f991b1405452e07070e17ace8da231f0ac24fc4b8c2064b43

Download Submit
C:\systems32_bit\systems32.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
C:\systems32_bit\systems32.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
\ProgramData\Decoder.exe
Filesize
39KB

MD5
e753a9a4c3a393d9eccc31e5c6aded66

SHA1
5501ae71598925711dbee54f6ee1c827dd01d845

SHA256
52773fccbe6883ca7465ffe857c3fe7193521f0807bd8462f95bd4ad73be9867

SHA512
ee03d79cd24db07c3466cc602a657c9eb33119267b591a64a0d9215e3a80a24e3c435275ccfb5ffd7356def5bf717c5f2d8bc9a5b2daf1950ecf951b5e614c2e

Download Submit
memory/572-60-0x0000000000000000-mapping.dmp

Download
memory/668-62-0x0000000000000000-mapping.dmp

Download
memory/680-67-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/680-68-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/680-58-0x0000000000000000-mapping.dmp

Download
memory/1300-66-0x0000000000000000-mapping.dmp

Download
memory/1424-65-0x0000000000000000-mapping.dmp

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1944-55-0x0000000000800000-0x0000000000C4E000-memory.dmp

Filesize
4.3MB

Download
memory/1944-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000002EF0000-0x0000000002F66000-memory.dmp

Filesize
472KB

Download
memory/58784-70-0x0000000000000000-mapping.dmp

Download
memory/58784-73-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/58876-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads