2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63

General

Target

2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Size

132KB
MD5

a09a125cc16f07836bb1eb52dd909f9c
SHA1

00ad713fc6272ec538a40183c4d61d0445040d44
SHA256

2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63
SHA512

abef163596b70ef0683ad1c0517f3a84dba7ae8123796faf459baa73901bedcb5e6cd166123140f38b5212dc1df54b5906082e0faba14a54da4071a1a179c2a0
SSDEEP

1536:sWu9biJ4HFR0P1KJkugwfnOswkqRqxqBq5swhy5KhdIfu/AvE1gf2jlaRYVF7W:YFR2oaKhdIfu/2igf2jYR5

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe:*:Enabled:Netscape"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe:*:Enabled:Netscape"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Executes dropped EXE 3 IoCs

pid	Process
1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
1972	Netscape.exe
1224	Netscape.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1220-61-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-63-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-64-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-68-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-69-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-71-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1220-74-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1224-91-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Netscape\\Netscape.exe"	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 1972 set thread context of 1224	1972	Netscape.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1224	Netscape.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 28594758385401916	1224	Netscape.exe
Token: 18033614193164298	1224	Netscape.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
1972	Netscape.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 848 wrote to memory of 1220	848	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	27
PID 1220 wrote to memory of 1972	1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	28
PID 1220 wrote to memory of 1972	1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	28
PID 1220 wrote to memory of 1972	1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	28
PID 1220 wrote to memory of 1972	1220	2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe	28
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29
PID 1972 wrote to memory of 1224	1972	Netscape.exe	29

C:\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
"C:\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe
  "C:\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe
    "C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe
      "C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Filesize
132KB

MD5
a09a125cc16f07836bb1eb52dd909f9c

SHA1
00ad713fc6272ec538a40183c4d61d0445040d44

SHA256
2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63

SHA512
abef163596b70ef0683ad1c0517f3a84dba7ae8123796faf459baa73901bedcb5e6cd166123140f38b5212dc1df54b5906082e0faba14a54da4071a1a179c2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe

Filesize
132KB

MD5
a09a125cc16f07836bb1eb52dd909f9c

SHA1
00ad713fc6272ec538a40183c4d61d0445040d44

SHA256
2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63

SHA512
abef163596b70ef0683ad1c0517f3a84dba7ae8123796faf459baa73901bedcb5e6cd166123140f38b5212dc1df54b5906082e0faba14a54da4071a1a179c2a0

Download Submit
C:\Users\Admin\AppData\Roaming\Netscape\Netscape.exe

Filesize
132KB

MD5
a09a125cc16f07836bb1eb52dd909f9c

SHA1
00ad713fc6272ec538a40183c4d61d0445040d44

SHA256
2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63

SHA512
abef163596b70ef0683ad1c0517f3a84dba7ae8123796faf459baa73901bedcb5e6cd166123140f38b5212dc1df54b5906082e0faba14a54da4071a1a179c2a0

Download Submit
\Users\Admin\AppData\Local\Temp\2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63.exe

Filesize
132KB

MD5
a09a125cc16f07836bb1eb52dd909f9c

SHA1
00ad713fc6272ec538a40183c4d61d0445040d44

SHA256
2ccdd0148b4c0764e332486b15b3678ea6258f338a6f23cb258faa6844ec2f63

SHA512
abef163596b70ef0683ad1c0517f3a84dba7ae8123796faf459baa73901bedcb5e6cd166123140f38b5212dc1df54b5906082e0faba14a54da4071a1a179c2a0

Download Submit
memory/848-57-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/848-58-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/848-56-0x00000000002D0000-0x00000000002D4000-memory.dmp

Filesize
16KB

Download
memory/1220-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-64-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-69-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-70-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1220-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-63-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1220-74-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1224-91-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1972-79-0x000000000057F000-0x0000000000583000-memory.dmp

Filesize
16KB

Download
memory/1972-77-0x000000000057F000-0x0000000000583000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads