42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

General

Target

42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
Size

805KB
MD5

8b683771c162d0f751ec0eed59ab8471
SHA1

749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183
SHA256

42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a
SHA512

bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
584	llswni.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
Token: SeDebugPrivilege	584	llswni.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 1996	972	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe	28
PID 972 wrote to memory of 1996	972	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe	28
PID 972 wrote to memory of 1996	972	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe	28
PID 972 wrote to memory of 1996	972	42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe	28
PID 596 wrote to memory of 584	596	explorer.exe	30
PID 596 wrote to memory of 584	596	explorer.exe	30
PID 596 wrote to memory of 584	596	explorer.exe	30
PID 596 wrote to memory of 584	596	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
"C:\Users\Admin\AppData\Local\Temp\42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe"
1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
  2⤵
  PID:1996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe

Filesize
805KB

MD5
8b683771c162d0f751ec0eed59ab8471

SHA1
749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183

SHA256
42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

SHA512
bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe

Filesize
805KB

MD5
8b683771c162d0f751ec0eed59ab8471

SHA1
749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183

SHA256
42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

SHA512
bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
514B

MD5
e34e8764306ec5f0f9fcdb6172d614ad

SHA1
05ad1be45ba28bddff04743e5fc7739e654da1a4

SHA256
bf3f47e93dcad3941f791c4f375196aa89335299da2d58379d2ed0f015c96186

SHA512
6eff41a196b803e36afbdd56412c895047b3ca08bd6771d0d711fa1fcaa693ee1720e54f0cea7e2286e2f3e9dab98d7e427fde8aa69514ea33f393d044112bbe

Download Submit
memory/584-66-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/584-68-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/596-60-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/972-56-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/972-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/972-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/972-67-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-59-0x0000000071B01000-0x0000000071B03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing