0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901

General

Target

0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
Size

3.2MB
MD5

51eb93aaca0e50e7623ab67c61d1b1fb
SHA1

c862db8b0d8a15b02e3cb3296aa618c46edc822b
SHA256

0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901
SHA512

e31728d6b1fd9781a0d29840d054b6e3f1869db40b185d74b8f2e4fbea526b712e3ee614784fba9ccf78d532ea3640885ee5b0e1a2793aa27da9dbea6d99af0a

Score

10^/10

link pdf persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Executes dropped EXE 1 IoCs

Processes:

mls.exe

pid process

1648 mls.exe
Loads dropped DLL 1 IoCs

Processes:

0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe

pid process

1988 0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe

pid	process
1648	mls.exe

pid	process
1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exemls.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RAC\\svcsc.exe"	mls.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1584 AcroRd32.exe
1584 AcroRd32.exe
1584 AcroRd32.exe
1584 AcroRd32.exe

pid	process
1584	AcroRd32.exe
1584	AcroRd32.exe
1584	AcroRd32.exe
1584	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe

description	pid	process	target process
PID 1988 wrote to memory of 1584	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	AcroRd32.exe
PID 1988 wrote to memory of 1584	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	AcroRd32.exe
PID 1988 wrote to memory of 1584	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	AcroRd32.exe
PID 1988 wrote to memory of 1584	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	AcroRd32.exe
PID 1988 wrote to memory of 1648	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	mls.exe
PID 1988 wrote to memory of 1648	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	mls.exe
PID 1988 wrote to memory of 1648	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	mls.exe
PID 1988 wrote to memory of 1648	1988	0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe	mls.exe

C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe
"C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Roaming\RAC\mls.exe
"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0041d6ff578994fd2d6d9aa0b44c0d5f5474eb5281c49a34f4c81651a4525901.pdf
Filesize
1.7MB

MD5
8b6df81f3786a6d953986f95ed6eb3ac

SHA1
32ef98d46e69b15b62f1af0e8b8b5e9f6362d51c

SHA256
ae0ce574fa65c41406cdd8e438d65d5dd20db03ba49628f1eb51da4d6392f1c6

SHA512
e87322ac540067e47f4f08794fb0d3d153f8147398354eb1b2f6385a8eda04133d6d1b119c12814895df99a2a4ab3cc28d4b7d302e6195a5863408a14e0e2876

Download Submit
C:\Users\Admin\AppData\Roaming\RAC\mls.exe
Filesize
1.6MB

MD5
1ebb1216c11c725ecced04a394ba0f07

SHA1
1298e27b6cccc9ffc671fad4fbbe5f74675017d3

SHA256
92cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e

SHA512
81fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd

Download Submit
\Users\Admin\AppData\Roaming\RAC\mls.exe
Filesize
1.6MB

MD5
1ebb1216c11c725ecced04a394ba0f07

SHA1
1298e27b6cccc9ffc671fad4fbbe5f74675017d3

SHA256
92cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e

SHA512
81fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd

Download Submit
memory/1584-55-0x0000000000000000-mapping.dmp

Download
memory/1648-58-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads