00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Size

870KB
MD5

588be75f7ceb82915980b2f90be3c4ac
SHA1

65d5912f2e9b8a16989c72c4e943c2e1ecc014ee
SHA256

00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124
SHA512

b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-87585857695986954\winmgr.exe = "C:\\Users\\Admin\\M-87585857695986954\\winmgr.exe:*:Enabled:Microsoft Windows Service"	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe

Executes dropped EXE 2 IoCs

pid	Process
4928	winmgr.exe
3408	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run\	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Users\\Admin\\M-87585857695986954\\winmgr.exe"	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000022e43-135.dat	autoit_exe
behavioral2/files/0x0006000000022e43-137.dat	autoit_exe
behavioral2/files/0x0006000000022e43-162.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 4928 set thread context of 3408	4928	winmgr.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 3744 wrote to memory of 5008	3744	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	79
PID 5008 wrote to memory of 4928	5008	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	80
PID 5008 wrote to memory of 4928	5008	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	80
PID 5008 wrote to memory of 4928	5008	00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe	80
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81
PID 4928 wrote to memory of 3408	4928	winmgr.exe	81

C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
"C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe
  "C:\Users\Admin\AppData\Local\Temp\00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\M-87585857695986954\winmgr.exe
    C:\Users\Admin\M-87585857695986954\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\M-87585857695986954\winmgr.exe
      "C:\Users\Admin\M-87585857695986954\winmgr.exe"
      4⤵
      Executes dropped EXE
      PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deepweb.txt

Filesize
60KB

MD5
cdf386a1e11c0af4f542fc3e07b87536

SHA1
7c1bdef434d549f2436f9b3f1b595346beaf8bb5

SHA256
fa942d6e5601b220f125b15ba2ee8e10cfa21c539ad07dc352b117d6dfa74b0e

SHA512
c5af6fdb956bce3101977a4e8468a3ace7f69597f15051a7bbef92f8aa4efde9b6f11753919ebb8e0cf97d5c6f5a0ccf9e9c2d40b5303271f406854acf0d120f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deepwebx.txt

Filesize
60KB

MD5
1f59dec3d69b5a8ce892db9ff72096c3

SHA1
923a511671583f7e144a8b6a5547d1018bf0e3cc

SHA256
b8dfc0af166b7e0bb771d15bf315442247410a4e82c4091a5a85205fa1b89b47

SHA512
8cfd98c164b07e21e132f3a89a870c98d80e45bbd9cb3b7da191b418bcd17a83febc11da92df8e9ae609cf2992601aa520e91f02057696a2e89bfb4f5414b499

Download Submit
C:\Users\Admin\AppData\Local\Temp\super.txt

Filesize
23KB

MD5
6a5e903d0e3d8e7deff69677ca5286f8

SHA1
e8d387c0e61c2b290ecb2af437cf7781b7ce3b43

SHA256
5eb2103d4d5a91190bc9f7501468512bcca49c5bfc1cf00d327dd7cb1073f6d6

SHA512
74cd6668b3e618149349b548469779012ac1a3ce66c8e032cf0fd615f4bbbe8663ed38e1677c8991098e1ab0d231624852d6546a9a9a742ae0b3e532b4137f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.txt

Filesize
1008KB

MD5
a2666455959c9748f358e8b3a7e66887

SHA1
7db3a68ac09d632bc626af292bbd391c347643e4

SHA256
88746b9b51a83ea498e7653b2d2eb0facb082b3d97a089f07057d37c0acd070e

SHA512
923a30d54f6811af1261e00e3f3ff70782c9feb628d3029e782640ed9303910446603d94e5d71ba7cba051d9c8116e28e1cfef5c1c27c996544c2bdcb35bb6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\test2.txt

Filesize
37KB

MD5
bdb3a82cc793956e535f53e463c40afe

SHA1
41f6491f5a94f152d4ef9fb66bbdc9c85c3224ee

SHA256
fa6637f8b009218a257fed66d158b66b4df4707965304f4c20ddaf5cee31853d

SHA512
45a785c976aa9110809b79ff781ceb918e2edac92d7e358b9f3a402bc47ea14652f738f4afc18ca4742e8c0f1351f838157ca679d54600bf1d510f22f9faaf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\test2x.txt

Filesize
100B

MD5
6a5b76312aceea53d56b4373d53c1451

SHA1
d5a9eafc38b81a25daf03b3d9a742ee1bba3651b

SHA256
21da4382be35ee414afd57f6802b3802b00e79f0762a2b9942591be4b846099c

SHA512
b59130490303b607013812bba31f704fedf8789848ac98005d37e163bedfffb7d70bebb023feaaf28664f6000163868c6cf5f45f7f9434971ecdf82f66c7ff7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test2xx.txt

Filesize
98B

MD5
f42f0562816b96102dde294fb2c508ac

SHA1
191e0e60526e020c4f456eb2f08b1536b8e7712d

SHA256
b2da6507c5a77d3d0d2b711bb8c347c383f29e39ac7b74b479b5425e2ac77c00

SHA512
67a36d10fac324588eb420857522cc32d41cebd1745b96a7e9713fddf8318f751e16e84b42b446a2c9465fb4dc5a77b8ede75f6af097c33f9d2a87f9649a2255

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3.txt

Filesize
20KB

MD5
02a1b9a670c6546acc6564dea8ca7e60

SHA1
81fbe9633374a9f3765b44d07755ce5d69bf25a5

SHA256
ecab43b783976f145d341fc45b3c16e621dcb1ab2ff23896e8d7b36a818f6e50

SHA512
5dcaf0999d0f93badfd6ea29d794fddbaf7ef15197a5b1673675fb5aa7e3d428b88e1bd0d89a665dca7fa1feccd6c69880c6a5da06f879597d2eb6c43a39e13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3x.txt

Filesize
108B

MD5
88116ec49738a1493fc284c51d4dbfba

SHA1
269f74c3259ae5fe2c4cc2445ccb2e8b0baf9004

SHA256
0d6a0f80e046b6bb77b87c1ca051f4bac821966293af47a62f7e5106fa1a6f74

SHA512
a430d8f6bbf86e397c4bbaa4e77b30f594540823658a7e8f217561adf100ea5839769388469d152d96d4bda63eee40b33c80945cbef235645c8f12ef369b6eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\test3xx.txt

Filesize
106B

MD5
71ef96891967694c1d2c9e6fb72ba818

SHA1
10ae116ef5e19764ac5d3a647d65f547eaa354ac

SHA256
3ec812b26581121de1a020d5dc547ad6f6ac9e321625ccca16367e56966dc275

SHA512
e9b8ab935099688f4b18e651116471f0588a13bb3fe4177591cdf21df07c187fe5463e20e67c2e11758fe7746bfc480db6c37d6e263fb80f1393e5db2cc6eafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\test4.txt

Filesize
21KB

MD5
9502cf3cfd7c7f51188ccfd0cf851d0d

SHA1
32099c2e0361f6b2a706bd6961ccb8728db3b91f

SHA256
f6ef060e5a68809bc2aa73a0625f230af174eb894fd6f0d6fee0b205cd80277e

SHA512
39d71084b1eec758b0321d3ff01512ac27d0912b498c81b8441f0f4cfde1025e3fa577bb0ff9548565793ea1774667710ec34cbbd8d90ac1982d3488c15b8083

Download Submit
C:\Users\Admin\AppData\Local\Temp\test4x.txt

Filesize
92B

MD5
861c22522a523bc72bf9a9b2e22e97c4

SHA1
e11ca81fe0ad875b6a3cca1bd3211f30a1524a42

SHA256
5110cadd1656f1197d4eea225af235b8265b4b77d6c6682e8119f55982199b6b

SHA512
5194b0a40e85e3ef85b96aa18b9e9e672c9aa364f41e5ed3870ce5445b6d1e02f9dd8c5d3a81c4f7064197b419708803f9170048a636cdee4d7db135e6409978

Download Submit
C:\Users\Admin\AppData\Local\Temp\test4xx.txt

Filesize
90B

MD5
7c7b6d024c627da303b1e8109b59ec8a

SHA1
8fde1af23426e860986e91f8b6c1f4fd6d3190c9

SHA256
57f0978901d4f374d9f06e07d6070f96c8041b0a8d45f46cad418066447d0186

SHA512
0d602dea536780594a6c496d8cc09d8c4c9f8eb251357f3b8562a741234651b2a079ce353dab391340b6f64b56080f00625333e6ece3a35a1c95471fdb2612c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\test5.txt

Filesize
25KB

MD5
9d12b89bb2fde1b8eeb265b6989432b6

SHA1
cba25bd8dc9821f427f188e8d31583ccc9e8d416

SHA256
28d1bb1ad0ebecca44eb84355990060bf6ea451fae79e4f8ac98e8dc4b2d5747

SHA512
4591665bf63e909d842d59354b562fc4e4d8f6c40b0fc24c0681f475954cfbf8c29b4cd752e5097583180788e2b3e571363873d3120f7caffe3e8dc25b257971

Download Submit
C:\Users\Admin\AppData\Local\Temp\test5x.txt

Filesize
132B

MD5
e66c0849f8c9ee70c59203af0386926c

SHA1
4b05703f471081f9afdfb2c9934c32ea5c8be962

SHA256
084db12140daf226e3f8d024aead723729fcadb541f99c5ec152d0f43bdda5a6

SHA512
794add74dd65eae0f4f72290ff7bf31e9afc40f1c9ea79222a42d93f9cd1b87ee799c406b3309278c81f66e75f39ab6dc879be08abcc163c276d4175c86c058f

Download Submit
C:\Users\Admin\AppData\Local\Temp\test5xx.txt

Filesize
130B

MD5
f785444fa8783ebace5bf3a7ce1014d3

SHA1
bef83ea60af3a910a3bac03569e67f7aab3ca6ae

SHA256
dd496c7c8ccb887c5c9991d6a8b261e89aa1a115443058e1738eb67c9a19e754

SHA512
982fe767118c897d7ae1e7031788b48b9196af5ad55f77d83d3d244dc73ee39532e8c8b589410b59145f4c6bf817459bff22f7bba5f10549a8bd7e4f137b4120

Download Submit
C:\Users\Admin\AppData\Local\Temp\test6.txt

Filesize
125KB

MD5
89e4dc7ed892a5e0e4562a7895196a98

SHA1
9df41fd2806d49f54402811c1cd93ebeb1577321

SHA256
89290930bb8beed88e417328a17bd4922b021324c6958850585ce439677e16ce

SHA512
92218038abbc1d4d4c23842c07cc8b0a0f306db5fafe1becd128e19e0065292742c653e17de852cb921f8e0aac525ccc3babbae3044244d484685875b86dcde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\test6x.txt

Filesize
638B

MD5
0341d74cbe7eeddc97ff57a3f41e0aae

SHA1
7ac9e057c5ef1b99080631a0977ce4047cd6eecf

SHA256
79c3589c266a2f1790a416f6f269ba914d14ed0602e6c6d0964de696b350e781

SHA512
dcce723f520329c79f73ff5b7799a61a30ef9e5801b4f04f4897b06d54bbe84186e6022402f5170f3993dfb2a431131e4dd6123191ab430fc164f208061ee152

Download Submit
C:\Users\Admin\AppData\Local\Temp\test6xx.txt

Filesize
636B

MD5
b7f737a87dfe2176e40bce919499a69b

SHA1
403a2a8b72fe577139b4ee4310fccd0e669e854f

SHA256
db3c01361118d67e942ab190b76a8c7055e7b2e38c3f41f96eff80c01ad4623d

SHA512
c2dfc3ca2b6d695b9eaed6f595ec9367d3464e17b25e0627d7adc768e5cb85d5e9bfc3b6602e62589bef849f80c9d7027459b937841eb7c4f19dd8c9b41765df

Download Submit
C:\Users\Admin\AppData\Local\Temp\testx.txt

Filesize
2KB

MD5
a0990ddbb2099b380a275d32475e2fb6

SHA1
87d9c5f70be309efd85fe3076431c186eeb333eb

SHA256
1162921461c2a373fc3e3982f7995effc4ff32456a6bc9d3a6f9e263936c0283

SHA512
c7849f81c7b9cbd329f13abcc20604caaee9b310c434b385f44bb4635d29b9346f64ea2399d07b02e8d0d883e97f0f4bd89b676c9318b5dbd9b346267130ecb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\testxx.txt

Filesize
2KB

MD5
992dea548be8314039a109d8f0725578

SHA1
dbfbb7268164b58f27bc4650158312058573ac32

SHA256
9a186fead0270c923d4672ed89b898f9210cfd59837ab1fbdc82987a61378cec

SHA512
52c22415a7f0cafa1d42163873fb46e8f02a081e9edda7a51c02be87a5c0550e3eebba4f697b33d6e62bf42a79f1cbcb75f281d2cc0dc2a78e6a8e933da20577

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultra.txt

Filesize
1KB

MD5
5b54502a7b2e3f71523db902eb15bcc0

SHA1
6635020844365299471d9ac2b597eccc5bff6589

SHA256
b3d65b73767d55ec548557bc83b445d51c81fbb84f845ca255d835d87c4cf1e2

SHA512
9d2ae5ba95e97edc0adbecf474628d98abfb77b2b54d14a087ef4f6f46947632814eff1a539200ea5d445dad00f77742ee654227e8c38f6200ff16386787ca86

Download Submit
C:\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
C:\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
C:\Users\Admin\M-87585857695986954\winmgr.exe

Filesize
870KB

MD5
588be75f7ceb82915980b2f90be3c4ac

SHA1
65d5912f2e9b8a16989c72c4e943c2e1ecc014ee

SHA256
00e3a90b4ee0f42804438613af3198e1d42cd5a35d6d83186fb048f60de4c124

SHA512
b8737dd5a3bda3ee0a6476c46fcfaf688c5d3fe2067117dec90206896e095d8fc0ed91425acd397b3efdebe42c6c43051d9ffc6c51e505b3f66a49a73a51c99b

Download Submit
memory/3408-165-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3408-164-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5008-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5008-131-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5008-133-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads