67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b

General

Target

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Size

805KB
MD5

646ed17ed05a8e0925c95e4b43210e2c
SHA1

ca333c718dad8faff0d6e99ba33b7c336d8b82db
SHA256

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b
SHA512

6d63c2f96db0ca0cd97d6563cbc85099c090d165153c32794f6b7b86d966b2086af3192b1508d1b5342ced3f325856e36bfb76930cb93f372c7220b7632a30f7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exebcvdfgsd.exe

pid process

1104 PAKJHS~1.EXE
1768 bcvdfgsd.exe
844 bcvdfgsd.exe
Loads dropped DLL 2 IoCs

Processes:

PAKJHS~1.EXE

pid process

1104 PAKJHS~1.EXE
1104 PAKJHS~1.EXE

pid	process
1104	PAKJHS~1.EXE
1768	bcvdfgsd.exe
844	bcvdfgsd.exe

pid	process
1104	PAKJHS~1.EXE
1104	PAKJHS~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Net Host = "C:\\Users\\Admin\\vbnfghcbv\\bcvdfgsd.vbs -BN"	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exe

pid process

1104 PAKJHS~1.EXE
1768 bcvdfgsd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bcvdfgsd.exe

description pid process target process

PID 1768 set thread context of 844 1768 bcvdfgsd.exe bcvdfgsd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAKJHS~1.EXEbcvdfgsd.exe

pid process

1104 PAKJHS~1.EXE
1768 bcvdfgsd.exe

pid	process
1104	PAKJHS~1.EXE
1768	bcvdfgsd.exe

description	pid	process	target process
PID 1768 set thread context of 844	1768	bcvdfgsd.exe	bcvdfgsd.exe

pid	process
1104	PAKJHS~1.EXE
1768	bcvdfgsd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exePAKJHS~1.EXEbcvdfgsd.exe

description	pid	process	target process
PID 552 wrote to memory of 1104	552	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 552 wrote to memory of 1104	552	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 552 wrote to memory of 1104	552	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 552 wrote to memory of 1104	552	67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe	PAKJHS~1.EXE
PID 1104 wrote to memory of 924	1104	PAKJHS~1.EXE	WScript.exe
PID 1104 wrote to memory of 924	1104	PAKJHS~1.EXE	WScript.exe
PID 1104 wrote to memory of 924	1104	PAKJHS~1.EXE	WScript.exe
PID 1104 wrote to memory of 924	1104	PAKJHS~1.EXE	WScript.exe
PID 1104 wrote to memory of 1768	1104	PAKJHS~1.EXE	bcvdfgsd.exe
PID 1104 wrote to memory of 1768	1104	PAKJHS~1.EXE	bcvdfgsd.exe
PID 1104 wrote to memory of 1768	1104	PAKJHS~1.EXE	bcvdfgsd.exe
PID 1104 wrote to memory of 1768	1104	PAKJHS~1.EXE	bcvdfgsd.exe
PID 1768 wrote to memory of 844	1768	bcvdfgsd.exe	bcvdfgsd.exe
PID 1768 wrote to memory of 844	1768	bcvdfgsd.exe	bcvdfgsd.exe
PID 1768 wrote to memory of 844	1768	bcvdfgsd.exe	bcvdfgsd.exe
PID 1768 wrote to memory of 844	1768	bcvdfgsd.exe	bcvdfgsd.exe

C:\Users\Admin\AppData\Local\Temp\67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe
"C:\Users\Admin\AppData\Local\Temp\67ef63e5a825981d5df3913386c1d1e65d57097f03da162b7a5bd4f355cf8c2b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\vbnfghcbv\bcvdfgsd.vbs"
3⤵
- Adds Run key to start application
PID:924

C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe
"C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe
"C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe"
4⤵
- Executes dropped EXE
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PAKJHS~1.EXE

Filesize
205.7MB

MD5
b22c9d17d34128a32ed382001010ead7

SHA1
36cadb05195a3e3168d976f5797da62304c05ec7

SHA256
1a7bfb43ef8f251440b591984b6b83964b13cc70f19e8b935768fa4247f7aabf

SHA512
24a31841644c0efa7c328bb6390440d07ddaf5027a1ca38f4327bc06750b36a35d4aab1841c7617e4e66095e6a42e6f9872964fd109b072f252ac6b3f2fab210

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
160.3MB

MD5
284ecbfcc7ea5bf952448129cc5a6999

SHA1
ea5a3755162dc13491a768b8f5091d958371f8d6

SHA256
fe94a7ed2b2f0bbc997a41ce038759ad9d59fd9025da0bb9c92dd88a5612c866

SHA512
880c124ab4f19113f630339f03571ea69df406cc7d3280c2361cbe7d8a38b699d0d10b466b1800f01ff43215fcea8a14f1029b6216e634314e1af166372611ee

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
12.8MB

MD5
2d7a9bf55af748d8b8af49bce3037141

SHA1
b3e29b00cf5d3081b81bee543402c95278754281

SHA256
8ef05706d86fdebf5cb610b9c1d71197c8b6fea83c6d87ab9a8b107b2f52f23d

SHA512
06d6e7debfd35702da7f90b87799a2fbb33a0eb70a7bfc5a56137f602173ae697f2e0125706b9f914c3ffdf4135dc378f4c21a05e0eac18f4e0047abae54b4d7

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
17.9MB

MD5
e80bea793a139b1219441768421e0a51

SHA1
ad928ef50cf1b294aa51c5c1b28189d542e5df6d

SHA256
97a674659d5e9b6dcc9b9379b9df51f7424c3ad8a002b095756d2d5f698bfac2

SHA512
b7d7642ec1bba105d5be35119df62b99603ae97c88b48ff2cab505ad8e108306a6f1df7c82175a4574830eadbf580fd145a9bb60479ee0007d31240114d54570

Download Submit
C:\Users\Admin\vbnfghcbv\bcvdfgsd.vbs

Filesize
1020B

MD5
b767073812150f580da5776d76d28c59

SHA1
99314a2ae5a0435153ea8010c5525d939a61a64a

SHA256
21ec41247c1f78aa36ba2db84215de3744621453e5284eabdb79e06c29284523

SHA512
779f80e8a2dd25e5615c711fbc7825535fa90b2d7c31740ea327ee99bc8792f9ff2deff779cfd68df9cfef6c9e4c8575f2eedec1bd6da12a45f272eff0324460

Download Submit
\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
161.1MB

MD5
661edcf7a89345c7c8128d5b4685f165

SHA1
049c457d58031bc5390a21d107d7fd50dfb1e432

SHA256
0db0d3c1701970511f6a45b3a8b851632752a2e5829024cf766353242628f535

SHA512
29a85d85161475bb4237032d95e701b621bc77b2695a61b1e1a56775809bd8a0a021c5d98627864afe5ee299455ec7e213558e39a94ce92d4b510c3641038916

Download Submit
\Users\Admin\vbnfghcbv\bcvdfgsd.exe

Filesize
154.4MB

MD5
d5feee3a89015687f471a1c4fc7742bc

SHA1
aff1a63bd0c285389b41d90215771fa462ec81b7

SHA256
e7966cbe1bcf13c391fdf7bd97e9ef23630c228c2f8a3ada4229e5739a156cce

SHA512
5627c622ddf939843542b6e250c591f24a5fa6958acf8a1d802c9d9b21c01268a188f0938a48274c511e7bba41f4f2d07831bad55c88a562af0e05bac02f5b6b

Download Submit
memory/552-54-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/844-82-0x00000000004179D5-mapping.dmp

Download
memory/924-65-0x0000000000000000-mapping.dmp

Download
memory/1104-71-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/1104-66-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/1104-64-0x0000000077690000-0x0000000077810000-memory.dmp

Filesize
1.5MB

Download
memory/1104-63-0x00000000774B0000-0x0000000077659000-memory.dmp

Filesize
1.7MB

Download
memory/1104-76-0x0000000077690000-0x0000000077810000-memory.dmp

Filesize
1.5MB

Download
memory/1104-60-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1104-59-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/1104-55-0x0000000000000000-mapping.dmp

Download
memory/1768-69-0x0000000000000000-mapping.dmp

Download
memory/1768-78-0x00000000774B0000-0x0000000077659000-memory.dmp

Filesize
1.7MB

Download
memory/1768-80-0x0000000077690000-0x0000000077810000-memory.dmp

Filesize
1.5MB

Download
memory/1768-84-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/1768-85-0x0000000077690000-0x0000000077810000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing