8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf

General

Target

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Size

251KB
MD5

dfa5a24fcaf54c7a0281e86994eba56b
SHA1

bb3a4e20e147f646c560b95c645f0ac813ab8ef7
SHA256

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf
SHA512

efc1e5843f4145563599cf94a983013d986b7bf1f5acb188ab8e9a67e18129c447ad510fe03294ad10924690c79196bbc912acc158e898337880336d36fa1ea6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java"	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\Java"	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSecurityPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeTakeOwnershipPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeLoadDriverPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemProfilePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemtimePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeProfSingleProcessPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeIncBasePriorityPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeCreatePagefilePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeBackupPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeRestorePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeShutdownPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeDebugPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeSystemEnvironmentPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeChangeNotifyPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeRemoteShutdownPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeUndockPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeManageVolumePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeImpersonatePrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: SeCreateGlobalPrivilege	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 33	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 34	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 35	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
Token: 36	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.execmd.execmd.exe

description	pid	process	target process
PID 4796 wrote to memory of 4052	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4796 wrote to memory of 4052	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4796 wrote to memory of 4052	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4796 wrote to memory of 1268	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4796 wrote to memory of 1268	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4796 wrote to memory of 1268	4796	8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe	cmd.exe
PID 4052 wrote to memory of 4120	4052	cmd.exe	attrib.exe
PID 4052 wrote to memory of 4120	4052	cmd.exe	attrib.exe
PID 4052 wrote to memory of 4120	4052	cmd.exe	attrib.exe
PID 1268 wrote to memory of 4860	1268	cmd.exe	attrib.exe
PID 1268 wrote to memory of 4860	1268	cmd.exe	attrib.exe
PID 1268 wrote to memory of 4860	1268	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4120 attrib.exe
4860 attrib.exe

pid	process
4120	attrib.exe
4860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe
"C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\8614b2ded956894eb65f1fb498624d8cfe9f5ee05599981ef6f16dc7c7ee89bf.exe" +s +h
3⤵
- Views/modifies file attributes
PID:4120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1268