74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6

General

Target

74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
Size

1.7MB
MD5

8f94bc5cacfd1fbfcb09a94958adfd1d
SHA1

3930dbb9a0d13331acfb232a39aae879d4a3437c
SHA256

74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6
SHA512

c5e3bcdf679789bba2bdab1fc0bd3da91e4e9f4a2ad8c4d7ce12594631e8cf4a44002d954b52a907d28028f5870b871b59cc4cbcb0f6ec6e0e19a331a29010bd

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Executes dropped EXE 1 IoCs

Processes:

mls.exe

pid process

980 mls.exe
Loads dropped DLL 1 IoCs

Processes:

74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe

pid process

1488 74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe

pid	process
980	mls.exe

pid	process
1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exemls.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RAC\\svcsc.exe"	mls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1896 AcroRd32.exe
1896 AcroRd32.exe
1896 AcroRd32.exe
1896 AcroRd32.exe

pid	process
1896	AcroRd32.exe
1896	AcroRd32.exe
1896	AcroRd32.exe
1896	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe

description	pid	process	target process
PID 1488 wrote to memory of 1896	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	AcroRd32.exe
PID 1488 wrote to memory of 1896	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	AcroRd32.exe
PID 1488 wrote to memory of 1896	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	AcroRd32.exe
PID 1488 wrote to memory of 1896	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	AcroRd32.exe
PID 1488 wrote to memory of 980	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	mls.exe
PID 1488 wrote to memory of 980	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	mls.exe
PID 1488 wrote to memory of 980	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	mls.exe
PID 1488 wrote to memory of 980	1488	74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe	mls.exe

C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe
"C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Users\Admin\AppData\Roaming\RAC\mls.exe
"C:\Users\Admin\AppData\Roaming\RAC\mls.exe" -s
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74e0dfb6b8fb66ed62252811acf1ea90b9d63ed835c0c820557312dca42cc7e6.pdf
Filesize
158KB

MD5
4f5e97da89da8677e7e45dbc931ec882

SHA1
fe563c1a83835880eaab9a8446fefc13a0c601f2

SHA256
cd273ab762a215098f8199a7409c5e240659935c01acb8c6cddd4f685093c964

SHA512
a75cf750d484164d59a818ee267c0f937220a271ff72d3bdbd8c1418ec5f1265b75d944476b52269e6bdad531a6a5fd80dd96dde1bbcd67f6a26f2d2773a209b

Download Submit
C:\Users\Admin\AppData\Roaming\RAC\mls.exe
Filesize
1.6MB

MD5
1ebb1216c11c725ecced04a394ba0f07

SHA1
1298e27b6cccc9ffc671fad4fbbe5f74675017d3

SHA256
92cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e

SHA512
81fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd

Download Submit
\Users\Admin\AppData\Roaming\RAC\mls.exe
Filesize
1.6MB

MD5
1ebb1216c11c725ecced04a394ba0f07

SHA1
1298e27b6cccc9ffc671fad4fbbe5f74675017d3

SHA256
92cfb01452d35687f10b203475475f7513dddf21e07dcb8b9af512f2caef183e

SHA512
81fd1a4b0386ffb51786222967986cc0b0e863606fd29813031cece4ab9534270fe224b1614823372907625c0ae000cc0ad083ab8619315ae9586845f2b563bd

Download Submit
memory/980-58-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1896-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing