10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668

General

Target

10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe
Size

62KB
MD5

3d931e0e173d08cf672d9977a03d4d62
SHA1

59f989fecf93c9e7b084215af0f205eac9ecb957
SHA256

10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668
SHA512

c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msgs.exe

pid process

1636 msgs.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1684 netsh.exe

pid	process
1636	msgs.exe

pid	process
1684	netsh.exe

Drops startup file 2 IoCs

Processes:

msgs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1595ec1b10f663098eed3aa73bd31f01.exe	msgs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1595ec1b10f663098eed3aa73bd31f01.exe	msgs.exe

Loads dropped DLL 1 IoCs

Processes:

10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe

pid process

384 10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe

pid	process
384	10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msgs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\1595ec1b10f663098eed3aa73bd31f01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msgs.exe\" .."	msgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1595ec1b10f663098eed3aa73bd31f01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msgs.exe\" .."	msgs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

msgs.exe

description	pid	process
Token: SeDebugPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe
Token: 33	1636	msgs.exe
Token: SeIncBasePriorityPrivilege	1636	msgs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exemsgs.exe

description	pid	process	target process
PID 384 wrote to memory of 1636	384	10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe	msgs.exe
PID 384 wrote to memory of 1636	384	10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe	msgs.exe
PID 384 wrote to memory of 1636	384	10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe	msgs.exe
PID 384 wrote to memory of 1636	384	10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe	msgs.exe
PID 1636 wrote to memory of 1684	1636	msgs.exe	netsh.exe
PID 1636 wrote to memory of 1684	1636	msgs.exe	netsh.exe
PID 1636 wrote to memory of 1684	1636	msgs.exe	netsh.exe
PID 1636 wrote to memory of 1684	1636	msgs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe
"C:\Users\Admin\AppData\Local\Temp\10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\msgs.exe
"C:\Users\Admin\AppData\Local\Temp\msgs.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\msgs.exe" "msgs.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msgs.exe
Filesize
62KB

MD5
3d931e0e173d08cf672d9977a03d4d62

SHA1
59f989fecf93c9e7b084215af0f205eac9ecb957

SHA256
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668

SHA512
c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgs.exe
Filesize
62KB

MD5
3d931e0e173d08cf672d9977a03d4d62

SHA1
59f989fecf93c9e7b084215af0f205eac9ecb957

SHA256
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668

SHA512
c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6

Download Submit
\Users\Admin\AppData\Local\Temp\msgs.exe
Filesize
62KB

MD5
3d931e0e173d08cf672d9977a03d4d62

SHA1
59f989fecf93c9e7b084215af0f205eac9ecb957

SHA256
10a5aa925b4739ee54e1470f075e9db9a6990853f587bb99231180b670693668

SHA512
c5550f4d1be18ae030ae25078e8689e198b58b758f06cde1230f148bfb746c4f75a089f091e6a7a04013f3450383fab257eddff9c2432c30e3630e2dc9b9f2c6

Download Submit
memory/384-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/384-55-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/384-61-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1636-62-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-65-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads