df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

General

Target

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Size

212KB
MD5

97cdc2694b476ab047a4d162d19ba8a6
SHA1

56d6f2e31897873d1f38564f659e5b36992a27d2
SHA256

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56
SHA512

f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Trojan.exeTrojan.exe

pid process

4624 Trojan.exe
4556 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2296 netsh.exe

pid	process
4624	Trojan.exe
4556	Trojan.exe

pid	process
2296	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\CbNkGKKTsa = "C:\\Users\\Admin\\AppData\\Roaming\\CrJxFNPQeE\\eRSAErfXKH.exe"	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	pid	process	target process
PID 4776 set thread context of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4624 set thread context of 4556	4624	Trojan.exe	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Trojan.exe

pid	process
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe
4556	Trojan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	3644	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Token: SeDebugPrivilege	4556	Trojan.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exedf8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exeTrojan.exe

description	pid	process	target process
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 4776 wrote to memory of 3644	4776	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 3644 wrote to memory of 4624	3644	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 3644 wrote to memory of 4624	3644	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 3644 wrote to memory of 4624	3644	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4624 wrote to memory of 4556	4624	Trojan.exe	Trojan.exe
PID 4556 wrote to memory of 2296	4556	Trojan.exe	netsh.exe
PID 4556 wrote to memory of 2296	4556	Trojan.exe	netsh.exe
PID 4556 wrote to memory of 2296	4556	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
"C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
"C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe.log

Filesize
507B

MD5
fb442fe9c1c8bf5b9c592f3a47de9378

SHA1
7e750cd93798d9be6ba84c5611b705c92fc2e785

SHA256
73ab1def1d89e8a56ef5e99f46460901b40e5724d4b650885bfd8af03d2a4066

SHA512
cde0afc04934b89ed0c3de9729d1213f231b9d9ec2aebffc11a1f1287c24efbf12b1056cca1fab384f1d217c4ce73478e8dbb067612817e742c20db1430f946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
memory/2296-143-0x0000000000000000-mapping.dmp

Download
memory/3644-134-0x0000000000000000-mapping.dmp

Download
memory/3644-135-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4556-140-0x0000000000000000-mapping.dmp

Download
memory/4556-144-0x00000000066E0000-0x00000000066EA000-memory.dmp

Filesize
40KB

Download
memory/4624-137-0x0000000000000000-mapping.dmp

Download
memory/4776-130-0x00000000003F0000-0x000000000042A000-memory.dmp

Filesize
232KB

Download
memory/4776-133-0x00000000079B0000-0x0000000007A4C000-memory.dmp

Filesize
624KB

Download
memory/4776-132-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/4776-131-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads