0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363

General

Target

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Size

252KB
MD5

044626347c403a9fa5370006cd52f2ec
SHA1

57f68fe970b1367fb38d3bc4e4434ef76c148a31
SHA256

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363
SHA512

9b088e9b3bde254c7603b9a3b74f46f1c2162dfd31166ad18b84d3eae3320d50411ce5cb4638628028d4a4a9087dbe383c9c9f0224769f8cb5e9271fcd5a832f

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\×èòû"	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\×èòû"	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeSecurityPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeTakeOwnershipPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeLoadDriverPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeSystemProfilePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeSystemtimePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeProfSingleProcessPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeIncBasePriorityPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeCreatePagefilePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeBackupPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeRestorePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeShutdownPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeDebugPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeSystemEnvironmentPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeChangeNotifyPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeRemoteShutdownPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeUndockPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeManageVolumePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeImpersonatePrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: SeCreateGlobalPrivilege	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: 33	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: 34	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
Token: 35	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.execmd.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 2012	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 2012	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 2012	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 2012	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 1984	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 1984	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 1984	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 1092 wrote to memory of 1984	1092	0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe	cmd.exe
PID 2012 wrote to memory of 1992	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1992	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1992	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1992	2012	cmd.exe	attrib.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 1964	1984	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1992 attrib.exe
1964 attrib.exe

pid	process
1992	attrib.exe
1964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe
"C:\Users\Admin\AppData\Local\Temp\0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\0f18011ef2afa539dd7ffbac8465e04d8b851ba3cfb5c131bb87c0e391110363.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads