c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

General

Target

c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe
Size

933KB
MD5

5b057a9fe18c550f8fdae897acb1d64f
SHA1

9277dace08eb8e80e074ffec7c5b9559528a8596
SHA256

c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4
SHA512

791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e
SSDEEP

24576:+VMEhyWxJIBSs9GRGC/yvDcsaWrqt3ieYDIe6:+VMEhyMIFOw0W2tSnDIe6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	1916720.exe

Deletes itself 1 IoCs

pid	Process
960	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
960	cmd.exe
960	cmd.exe
1228	1916720.exe
1228	1916720.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4 = "\"C:\\Users\\Admin\\AppData\\Local\\1916720.exe\" 0 31 "	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	1916720.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1916720 = "\"C:\\Users\\Admin\\AppData\\Local\\1916720.exe\" 0 20 "	1916720.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1736	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	1916720.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe
1228	1916720.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 960	748	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe	28
PID 748 wrote to memory of 960	748	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe	28
PID 748 wrote to memory of 960	748	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe	28
PID 748 wrote to memory of 960	748	c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe	28
PID 960 wrote to memory of 1736	960	cmd.exe	30
PID 960 wrote to memory of 1736	960	cmd.exe	30
PID 960 wrote to memory of 1736	960	cmd.exe	30
PID 960 wrote to memory of 1736	960	cmd.exe	30
PID 960 wrote to memory of 1228	960	cmd.exe	31
PID 960 wrote to memory of 1228	960	cmd.exe	31
PID 960 wrote to memory of 1228	960	cmd.exe	31
PID 960 wrote to memory of 1228	960	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe
"C:\Users\Admin\AppData\Local\Temp\c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\563233.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4 /f
    3⤵
    - Modifies registry key
    PID:1736
- - C:\Users\Admin\AppData\Local\1916720.exe
    C:\Users\Admin\AppData\Local\1916720.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
C:\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
C:\Users\Admin\AppData\Local\Temp\563233.bat

Filesize
455B

MD5
16bd69482ff7c924578af0af5c0f0eb5

SHA1
175d420238ad45f960aa667eb3f069d2fd961ea0

SHA256
6a19403aaa052f9fb172cb4dc3313cccd9f23f8e3d20b247a8cf271560554dbe

SHA512
f511c6571a64d46a1c8cd7fb65a08258ce04d4dce82e7e68faf0ad877adc9b2271ed30dac67c317b6b113b6f2103214e0ab69a6c44914930b553eae2aebdd186

Download Submit
\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
\Users\Admin\AppData\Local\1916720.exe

Filesize
933KB

MD5
5b057a9fe18c550f8fdae897acb1d64f

SHA1
9277dace08eb8e80e074ffec7c5b9559528a8596

SHA256
c24b1996416788b175d9015db9a53e97ade89ea2754fd7c2f33fcb10d41d5ff4

SHA512
791b87ea622b5356932c8f302cb0cdc560669cbf2a01f162c16fe3c9bb3ae97fec99cc86de26153c73972843990b176dc45f6d01a767147386189ccf44a4579e

Download Submit
memory/748-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/748-55-0x0000000000400000-0x0000000000830D8B-memory.dmp

Filesize
4.2MB

Download
memory/748-61-0x000000000088E000-0x0000000000891000-memory.dmp

Filesize
12KB

Download
memory/748-58-0x000000000088E000-0x0000000000891000-memory.dmp

Filesize
12KB

Download
memory/748-57-0x0000000000400000-0x0000000000830D8B-memory.dmp

Filesize
4.2MB

Download
memory/748-56-0x000000000088E000-0x0000000000891000-memory.dmp

Filesize
12KB

Download
memory/748-60-0x0000000000400000-0x0000000000830D8B-memory.dmp

Filesize
4.2MB

Download
memory/1228-71-0x0000000000400000-0x0000000000830D8B-memory.dmp

Filesize
4.2MB

Download
memory/1228-72-0x00000000009AE000-0x00000000009B1000-memory.dmp

Filesize
12KB

Download
memory/1228-74-0x0000000000400000-0x0000000000830D8B-memory.dmp

Filesize
4.2MB

Download
memory/1228-75-0x00000000009AE000-0x00000000009B1000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads