ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a

General

Target

ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
Size

30KB
MD5

910635e580fd5de4759968959f6d0bb4
SHA1

934fbaeebdfe9c7c5c21696bd4e288094c44eef0
SHA256

ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a
SHA512

76411000d85d8634e1efefd533fac7defb65a7278820c2df64c8b6eb6d92d03f382025afeb5e8a6e99f9de5b8b36a25106b279818c2221fae4c187c5774fd4be

Score

10^/10

discovery evasion persistence ransomware spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gmx.net
Port:
587
Username:
[email protected]
Password:
q!]*zZ@aWs[d)9x^c<n[

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables RegEdit via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1220	takeown.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe"	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org
10	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4236	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	86
PID 4848 wrote to memory of 4236	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	86
PID 4848 wrote to memory of 4236	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	86
PID 4848 wrote to memory of 3440	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	83
PID 4848 wrote to memory of 3440	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	83
PID 4848 wrote to memory of 3440	4848	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe	83

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe

C:\Users\Admin\AppData\Local\Temp\ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe
"C:\Users\Admin\AppData\Local\Temp\ef0b62c34bac3ea9c196ce4f96ac4aca30d91378dc465abf44a7871aa9e6775a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
  2⤵
  PID:3440
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  PID:4236

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\"."
1⤵
- Modifies file permissions
PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

File and Directory Permissions Modification

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4848-130-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/4848-131-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4848-132-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download
memory/4848-133-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4848-135-0x0000000005500000-0x0000000005556000-memory.dmp

Filesize
344KB

Download
memory/4848-134-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4848-136-0x000000000A500000-0x000000000A566000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads