7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3

General

Target

7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe
Size

92KB
MD5

1faf1a6d11f930ab4f368e71a3a23c2b
SHA1

e1475f36999b135811261d2295cca7c3a900271b
SHA256

7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3
SHA512

d5a843c6c2245e5e7619632f4fd7db97bea54df9af9d02279801fd58d6fd7caf15f99dbfbeee4902578100140115bcde3daa573c8b4f9d64cfbf5d9511f21ccf
SSDEEP

768:fGTkFdPGWIn0cN6lfypHb3Pb9XbxPhCgvmC3emu4v/eo4z7VP7LdGSu2HyTAzfMA:4UGRmYf1Hg354vM

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lsass = "c:\\windows\\system\\alg.exe"	alg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\svchost.exe"	alg.exe

Executes dropped EXE 1 IoCs

pid	Process
1144	alg.exe

Deletes itself 1 IoCs

pid	Process
1472	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe
1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe
1144	alg.exe
1144	alg.exe
1144	alg.exe
1144	alg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.aaa	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1144	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	27
PID 1776 wrote to memory of 1144	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	27
PID 1776 wrote to memory of 1144	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	27
PID 1776 wrote to memory of 1144	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	27
PID 1144 wrote to memory of 1364	1144	alg.exe	28
PID 1144 wrote to memory of 1364	1144	alg.exe	28
PID 1144 wrote to memory of 1364	1144	alg.exe	28
PID 1144 wrote to memory of 1364	1144	alg.exe	28
PID 1776 wrote to memory of 1472	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	31
PID 1776 wrote to memory of 1472	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	31
PID 1776 wrote to memory of 1472	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	31
PID 1776 wrote to memory of 1472	1776	7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe	31

C:\Users\Admin\AppData\Local\Temp\7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe
"C:\Users\Admin\AppData\Local\Temp\7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776
- \??\c:\windows\system\alg.exe
  c:\windows\system\alg.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\temp\*.* /q /s
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7A5068~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\alg.exe

Filesize
92KB

MD5
1faf1a6d11f930ab4f368e71a3a23c2b

SHA1
e1475f36999b135811261d2295cca7c3a900271b

SHA256
7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3

SHA512
d5a843c6c2245e5e7619632f4fd7db97bea54df9af9d02279801fd58d6fd7caf15f99dbfbeee4902578100140115bcde3daa573c8b4f9d64cfbf5d9511f21ccf

Download Submit
\??\c:\windows\system\alg.exe

Filesize
92KB

MD5
1faf1a6d11f930ab4f368e71a3a23c2b

SHA1
e1475f36999b135811261d2295cca7c3a900271b

SHA256
7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3

SHA512
d5a843c6c2245e5e7619632f4fd7db97bea54df9af9d02279801fd58d6fd7caf15f99dbfbeee4902578100140115bcde3daa573c8b4f9d64cfbf5d9511f21ccf

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\Windows\system\alg.exe

Filesize
92KB

MD5
1faf1a6d11f930ab4f368e71a3a23c2b

SHA1
e1475f36999b135811261d2295cca7c3a900271b

SHA256
7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3

SHA512
d5a843c6c2245e5e7619632f4fd7db97bea54df9af9d02279801fd58d6fd7caf15f99dbfbeee4902578100140115bcde3daa573c8b4f9d64cfbf5d9511f21ccf

Download Submit
\Windows\system\alg.exe

Filesize
92KB

MD5
1faf1a6d11f930ab4f368e71a3a23c2b

SHA1
e1475f36999b135811261d2295cca7c3a900271b

SHA256
7a5068443ed1dc0395adc88b8beb98bbb735af2e5174e589698b35a74f2a61e3

SHA512
d5a843c6c2245e5e7619632f4fd7db97bea54df9af9d02279801fd58d6fd7caf15f99dbfbeee4902578100140115bcde3daa573c8b4f9d64cfbf5d9511f21ccf

Download Submit
memory/1144-72-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1144-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-63-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/1776-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1776-64-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing