23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

General

Target

23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe
Size

814KB
MD5

f8cc0f2d5b075330655693bb91fd9c8e
SHA1

9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c
SHA256

23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c
SHA512

e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e
SSDEEP

12288:I398i1G64emXegqmyzszMTCu1xMw59dx9+Ot04SUgjSH16DUtOpXrPJanx1ah/MN:I3fGVOtJsQxMe9dxTt0pjYy7Ju1QMS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1384	41465452.exe

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1968	cmd.exe
1968	cmd.exe
1384	41465452.exe
1384	41465452.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\41465452 = "\"C:\\Users\\Admin\\AppData\\Local\\41465452.exe\" 0 29 "	41465452.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c = "\"C:\\Users\\Admin\\AppData\\Local\\41465452.exe\" 0 42 "	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	41465452.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1584	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1384	41465452.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe
1384	41465452.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1968	1976	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe	28
PID 1976 wrote to memory of 1968	1976	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe	28
PID 1976 wrote to memory of 1968	1976	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe	28
PID 1976 wrote to memory of 1968	1976	23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe	28
PID 1968 wrote to memory of 1584	1968	cmd.exe	30
PID 1968 wrote to memory of 1584	1968	cmd.exe	30
PID 1968 wrote to memory of 1584	1968	cmd.exe	30
PID 1968 wrote to memory of 1584	1968	cmd.exe	30
PID 1968 wrote to memory of 1384	1968	cmd.exe	31
PID 1968 wrote to memory of 1384	1968	cmd.exe	31
PID 1968 wrote to memory of 1384	1968	cmd.exe	31
PID 1968 wrote to memory of 1384	1968	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe
"C:\Users\Admin\AppData\Local\Temp\23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\764522.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c /f
    3⤵
    - Modifies registry key
    PID:1584
- - C:\Users\Admin\AppData\Local\41465452.exe
    C:\Users\Admin\AppData\Local\41465452.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
C:\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\764522.bat

Filesize
456B

MD5
09d36d8a69d75a1a3de018ac483dae5d

SHA1
d02f00c47a0241996984bb4bb8986e7de9c02514

SHA256
a9755a4e6e6b20f615df5fe6960fe758a44b8be1cb6d546061137ee7c361a59a

SHA512
af4ff6f62d18feb148e70d5f09844deb98d71e4f5c0deeb38451ce6ecfe73a5af9f073ce22b5220ddaf87d99ffde61980693dd2b3cc635e2ec65a65d665689c0

Download Submit
\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
\Users\Admin\AppData\Local\41465452.exe

Filesize
814KB

MD5
f8cc0f2d5b075330655693bb91fd9c8e

SHA1
9e82ca11ddf2d1b3297bf5b85c79a533ef4acb2c

SHA256
23c6516249af78454736133616ef6edbabb52d17c6c05c0780aec08ee9a5889c

SHA512
e4c99b3878af5ae29940189eebf77a062059f5aa74a22516185b86756145196801a6103e1443b3c5ecf38eb99af33731999952caa7071f5ee404733bdffaac9e

Download Submit
memory/1384-65-0x0000000001000000-0x0000000001447000-memory.dmp

Filesize
4.3MB

Download
memory/1384-69-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/1384-70-0x0000000001000000-0x0000000001447000-memory.dmp

Filesize
4.3MB

Download
memory/1384-71-0x0000000003180000-0x00000000035C7000-memory.dmp

Filesize
4.3MB

Download
memory/1976-56-0x0000000003180000-0x00000000035C7000-memory.dmp

Filesize
4.3MB

Download
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x0000000001000000-0x0000000001447000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads