cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

General

Target

cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe
Size

175KB
MD5

97881454ddb0c235d84e3fe6748746da
SHA1

b031fe58826263341ba58778e85cd6fc7ae3bb05
SHA256

cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21
SHA512

4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515
SSDEEP

3072:sGgJL20ZG009teM8XnZQLpgwWyM22/z/g21rfeEr+W7REQVsIPjp9f:sdV1E08AELpRWwW/5Xp7WQVsIP19

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2032	winamp.exe
1372	winamp.exe

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe
1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winamp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\winamp.exe"	winamp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winamp.exe	winamp.exe
File created	C:\Windows\SysWOW64\winamp.exe	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 360 set thread context of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 2032 set thread context of 1372	2032	winamp.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 360 wrote to memory of 1732	360	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	27
PID 1732 wrote to memory of 1244	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	28
PID 1732 wrote to memory of 1244	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	28
PID 1732 wrote to memory of 1244	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	28
PID 1732 wrote to memory of 1244	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	28
PID 1732 wrote to memory of 2032	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	30
PID 1732 wrote to memory of 2032	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	30
PID 1732 wrote to memory of 2032	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	30
PID 1732 wrote to memory of 2032	1732	cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe	30
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31
PID 2032 wrote to memory of 1372	2032	winamp.exe	31

C:\Users\Admin\AppData\Local\Temp\cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe
"C:\Users\Admin\AppData\Local\Temp\cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe
  "C:\Users\Admin\AppData\Local\Temp\cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmcjuf.bat" "
    3⤵
    - Deletes itself
    PID:1244
- - C:\Windows\SysWOW64\winamp.exe
    C:\Windows\system32\winamp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\winamp.exe
      "C:\Windows\SysWOW64\winamp.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmcjuf.bat

Filesize
296B

MD5
4a5be334153833280d75e126bc3cdf9b

SHA1
da0ddaaf80892d845c72f6ac557430d3eb1cc7c2

SHA256
c605ea224ce5d73cf655f522ed21f8adb75505cc4459d3fc5e07d1ae1fd05d55

SHA512
578a0ca36793293cbb4c70269585d4c3779db4d900d97f9f877e01879e5e1752d974e9312fec3848776a501c3bbbde0573ccd4bfb6b491ff40c9662e4fff2012

Download Submit
C:\Windows\SysWOW64\winamp.exe

Filesize
175KB

MD5
97881454ddb0c235d84e3fe6748746da

SHA1
b031fe58826263341ba58778e85cd6fc7ae3bb05

SHA256
cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

SHA512
4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515

Download Submit
C:\Windows\SysWOW64\winamp.exe

Filesize
175KB

MD5
97881454ddb0c235d84e3fe6748746da

SHA1
b031fe58826263341ba58778e85cd6fc7ae3bb05

SHA256
cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

SHA512
4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515

Download Submit
C:\Windows\SysWOW64\winamp.exe

Filesize
175KB

MD5
97881454ddb0c235d84e3fe6748746da

SHA1
b031fe58826263341ba58778e85cd6fc7ae3bb05

SHA256
cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

SHA512
4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515

Download Submit
\Windows\SysWOW64\winamp.exe

Filesize
175KB

MD5
97881454ddb0c235d84e3fe6748746da

SHA1
b031fe58826263341ba58778e85cd6fc7ae3bb05

SHA256
cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

SHA512
4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515

Download Submit
\Windows\SysWOW64\winamp.exe

Filesize
175KB

MD5
97881454ddb0c235d84e3fe6748746da

SHA1
b031fe58826263341ba58778e85cd6fc7ae3bb05

SHA256
cfd7c061613cc428551c45f3d0d17e7ed5d268212510c260d3fa15b80f52ca21

SHA512
4077efb42057a24d90ba1d6f7b6e2f6311cfd6814cbbbe2f241971417284d62fa678a4c3d1d55983baeaca28ada4f8287fa46f376beb5f0e371dfbf79b0af515

Download Submit
memory/360-94-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/360-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/360-69-0x0000000001CA0000-0x0000000001CD7000-memory.dmp

Filesize
220KB

Download
memory/1372-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1372-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1732-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2032-93-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing