8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf

General

Target

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Size

251KB
MD5

dfa5a24fcaf54c7a0281e86994eba56b
SHA1

bb3a4e20e147f646c560b95c645f0ac813ab8ef7
SHA256

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf
SHA512

efc1e5843f4145563599cf94a983013d986b7bf1f5acb188ab8e9a67e18129c447ad510fe03294ad10924690c79196bbc912acc158e898337880336d36fa1ea6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java"	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java"	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSecurityPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeTakeOwnershipPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeLoadDriverPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemProfilePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemtimePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeProfSingleProcessPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeIncBasePriorityPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeCreatePagefilePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeBackupPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeRestorePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeShutdownPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeDebugPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemEnvironmentPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeChangeNotifyPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeRemoteShutdownPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeUndockPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeManageVolumePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeImpersonatePrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeCreateGlobalPrivilege	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 33	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 34	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 35	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.execmd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 1028	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1028	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1028	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1028	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1808	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1808	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1808	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1672 wrote to memory of 1808	1672	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	attrib.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	attrib.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	attrib.exe
PID 1028 wrote to memory of 1932	1028	cmd.exe	attrib.exe
PID 1808 wrote to memory of 2012	1808	cmd.exe	attrib.exe
PID 1808 wrote to memory of 2012	1808	cmd.exe	attrib.exe
PID 1808 wrote to memory of 2012	1808	cmd.exe	attrib.exe
PID 1808 wrote to memory of 2012	1808	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1932 attrib.exe
2012 attrib.exe

pid	process
1932	attrib.exe
2012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
"C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-55-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1808-56-0x0000000000000000-mapping.dmp

Download
memory/1932-57-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads