555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685

General

Target

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
Size

1.6MB
MD5

a3ecf903e0ee1f392efbd7af61062032
SHA1

237c6daeab86c669b1c821e13c2ec119845d108d
SHA256

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685
SHA512

c803f9a51dc654d6da039d05ee195202a0c6a049e7101b75c78c9783f4269c1eb20c4a76b68c172cb94e54fe03c9e38554d6c8405ca741ec112b6b751c0ccc66

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

atd.exeatd.exe

pid process

1584 atd.exe
1692 atd.exe

pid	process
1584	atd.exe
1692	atd.exe

Drops startup file 1 IoCs

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PIPLXE.lnk	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

Loads dropped DLL 4 IoCs

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exeatd.exe555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

pid	process
1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1584	atd.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\PIPLXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\OZLUIF.exe\""	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipapi.co
5 ipapi.co
11 checkip.dyndns.org

flow	ioc
4	ipapi.co
5	ipapi.co
11	checkip.dyndns.org

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1232-63-0x0000000000000000-mapping.dmp	autoit_exe
behavioral1/memory/1232-66-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/1232-68-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe
behavioral1/memory/1232-69-0x0000000000400000-0x00000000004B9000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

atd.exe

description pid process target process

PID 1584 set thread context of 1692 1584 atd.exe atd.exe
PID 1584 set thread context of 1692 1584 atd.exe atd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1584 set thread context of 1692	1584	atd.exe	atd.exe
PID 1584 set thread context of 1692	1584	atd.exe	atd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

pid	process
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1232	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exeatd.exe

pid process

1908 555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
1584 atd.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exeatd.exe

description	pid	process	target process
PID 1908 wrote to memory of 1584	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	atd.exe
PID 1908 wrote to memory of 1584	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	atd.exe
PID 1908 wrote to memory of 1584	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	atd.exe
PID 1908 wrote to memory of 1584	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	atd.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1908 wrote to memory of 1232	1908	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe	555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe
PID 1584 wrote to memory of 1692	1584	atd.exe	atd.exe

C:\Users\Admin\AppData\Local\Temp\555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
"C:\Users\Admin\AppData\Local\Temp\555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\atd.exe
"C:\Users\Admin\AppData\Local\Temp\atd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\atd.exe
"C:\Users\Admin\AppData\Local\Temp\atd.exe"
3⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe
"C:\Users\Admin\AppData\Local\Temp\555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
\Users\Admin\AppData\Local\Temp\atd.exe
Filesize
476KB

MD5
0ae10f7b0c6a87e26273108537720021

SHA1
1d570c7448ddb6d921a03be6db7d0fc49cdd6e10

SHA256
e480728932889eda19b6197def775250eb96ccf23c18fd28a95b0d3da41324e9

SHA512
a53a9287ec4f55537e49bf1e4b3730c582efb0916ae11c2aabf0ca354ae475548bcb1e2ff8115a2b37e17037c80a5a6084162b626acd2d9310ebee4c3af3da7c

Download Submit
\Users\Admin\AppData\Roaming\Windata\OZLUIF.exe
Filesize
1.6MB

MD5
a3ecf903e0ee1f392efbd7af61062032

SHA1
237c6daeab86c669b1c821e13c2ec119845d108d

SHA256
555f88b245ceee8f51243a2dd7bd51c11d213f88a58b78659f8781176954a685

SHA512
c803f9a51dc654d6da039d05ee195202a0c6a049e7101b75c78c9783f4269c1eb20c4a76b68c172cb94e54fe03c9e38554d6c8405ca741ec112b6b751c0ccc66

Download Submit
memory/1232-63-0x0000000000000000-mapping.dmp

Download
memory/1232-66-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1232-68-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1232-69-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1584-70-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1584-60-0x0000000000000000-mapping.dmp

Download
memory/1692-75-0x000000000040140A-mapping.dmp

Download
memory/1692-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1692-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1692-90-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-79-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1692-78-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1692-80-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1692-89-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/1692-88-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-84-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/1692-85-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/1692-86-0x0000000000401000-0x000000000044F000-memory.dmp

Filesize
312KB

Download
memory/1692-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-57-0x00000000754D1000-0x00000000754D3000-memory.dmp

Filesize
8KB

Download
memory/1908-56-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1908-65-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads