0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81

General

Target

0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
Size

136KB
MD5

8ebac733f4b1605c3c6a0a3d33b736c5
SHA1

39fc6fb560d593971d5c28bb4e34b44b2c928468
SHA256

0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81
SHA512

593501b154ae06bd2aeb5217c716039df4accda7bc185c57f3d945de36b036e14b09ebeaaad869acbd3693288df2996b53e2165040558dfa49303fb9ced57d66

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mancompon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1812	964	WerFault.exe	30

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mancompon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mancompon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mancompon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mancompon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mancompon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mancompon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mancompon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mancompon.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1864	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
1380	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
1552	mancompon.exe
964	mancompon.exe
964	mancompon.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1380	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1380	1864	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	28
PID 1864 wrote to memory of 1380	1864	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	28
PID 1864 wrote to memory of 1380	1864	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	28
PID 1864 wrote to memory of 1380	1864	0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe	28
PID 1552 wrote to memory of 964	1552	mancompon.exe	30
PID 1552 wrote to memory of 964	1552	mancompon.exe	30
PID 1552 wrote to memory of 964	1552	mancompon.exe	30
PID 1552 wrote to memory of 964	1552	mancompon.exe	30
PID 964 wrote to memory of 1812	964	mancompon.exe	31
PID 964 wrote to memory of 1812	964	mancompon.exe	31
PID 964 wrote to memory of 1812	964	mancompon.exe	31
PID 964 wrote to memory of 1812	964	mancompon.exe	31

C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
"C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe
  "C:\Users\Admin\AppData\Local\Temp\0d697553cab987c23fa567329b9073d076fa8d573501de634e19ddf474604e81.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1380

C:\Windows\SysWOW64\mancompon.exe
"C:\Windows\SysWOW64\mancompon.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\mancompon.exe
  "C:\Windows\SysWOW64\mancompon.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 180
    3⤵
    - Program crash
    PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-85-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/964-90-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/964-77-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/964-81-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/964-88-0x0000000000160000-0x0000000000179000-memory.dmp

Filesize
100KB

Download
memory/964-86-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/1380-60-0x0000000000140000-0x0000000000159000-memory.dmp

Filesize
100KB

Download
memory/1380-68-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1380-69-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1380-70-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1380-67-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1380-84-0x0000000000120000-0x0000000000139000-memory.dmp

Filesize
100KB

Download
memory/1380-64-0x0000000000140000-0x0000000000159000-memory.dmp

Filesize
100KB

Download
memory/1552-75-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1552-82-0x0000000000250000-0x0000000000269000-memory.dmp

Filesize
100KB

Download
memory/1552-83-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/1552-71-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1864-54-0x0000000000320000-0x0000000000339000-memory.dmp

Filesize
100KB

Download
memory/1864-66-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/1864-65-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1864-58-0x0000000000320000-0x0000000000339000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing