39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36

General

Target

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Size

690KB
MD5

b1054ce8f34ae583487bd889bf03fb39
SHA1

405a0010eda09b5878596a7d91abf0ffe58634db
SHA256

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36
SHA512

5f03041137cb4fb942b96f8d6e2f44849be7d393b9f7231581ad6637d8ebba7864c38defe922f238661dc525e6d2dc726e3e456cbc540f977b13162100629345

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java"	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4900 attrib.exe
3188 attrib.exe

pid	process
4900	attrib.exe
3188	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\java"	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeSecurityPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeTakeOwnershipPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeLoadDriverPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeSystemProfilePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeSystemtimePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeProfSingleProcessPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeIncBasePriorityPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeCreatePagefilePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeBackupPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeRestorePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeShutdownPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeDebugPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeSystemEnvironmentPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeChangeNotifyPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeRemoteShutdownPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeUndockPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeManageVolumePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeImpersonatePrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: SeCreateGlobalPrivilege	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: 33	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: 34	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: 35	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
Token: 36	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.execmd.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 3960	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 2372 wrote to memory of 3960	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 2372 wrote to memory of 3960	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 2372 wrote to memory of 996	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 2372 wrote to memory of 996	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 2372 wrote to memory of 996	2372	39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe	cmd.exe
PID 3960 wrote to memory of 4900	3960	cmd.exe	attrib.exe
PID 3960 wrote to memory of 4900	3960	cmd.exe	attrib.exe
PID 3960 wrote to memory of 4900	3960	cmd.exe	attrib.exe
PID 996 wrote to memory of 3188	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 3188	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 3188	996	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3188 attrib.exe
4900 attrib.exe

pid	process
3188	attrib.exe
4900	attrib.exe

C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe
"C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\39d7a5ddfc61d4ce34e76bf080d69a02574705068506ae7508347199336c3f36.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:996