25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2

General

Target

25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe
Size

658KB
MD5

723da43b1570634cd1fe33f3f3917560
SHA1

cb722c97ed8521bbfb8aeea807bfae8e27268505
SHA256

25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2
SHA512

e740dc9b776c94d8ec04c6494da5148bb951012a6ca7e87519ae7893a1da6955c78e3387e77b1fbc1bbee71b34a1f8e4ed10fbfa9ee84fddb5ebfa8e4c58c106
SSDEEP

12288:SaejG/5NwYkK19iOCr+TMoO30mYn0YaAsGhQHxM5DKTrH5eZQ2T:2jGAK19iOCr+TMoO30mYn0YaAstHxM5n

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	668	rundll32.exe
3	668	rundll32.exe
4	668	rundll32.exe
6	668	rundll32.exe
8	668	rundll32.exe
9	668	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\.Net CL\Parameters\ServiceDll = "C:\\Windows\\system32\\6c204e.dll"	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe

Deletes itself 1 IoCs

pid	Process
520	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe
1576	svchost.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\6c204e.dll	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1576 wrote to memory of 668	1576	svchost.exe	29
PID 1672 wrote to memory of 520	1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe	28
PID 1672 wrote to memory of 520	1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe	28
PID 1672 wrote to memory of 520	1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe	28
PID 1672 wrote to memory of 520	1672	25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe	28

C:\Users\Admin\AppData\Local\Temp\25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe
"C:\Users\Admin\AppData\Local\Temp\25a800784da292624e12476b094bc738159b28d1c8cf898b11d420bb4bcbd6d2.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\25A800~1.EXE" > nul
  2⤵
  - Deletes itself
  PID:520

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ".Net CL"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\6c204e.dll, Launch
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
\Windows\SysWOW64\6c204e.dll

Filesize
610KB

MD5
d3b487e2b0a8318e0e1a47b7eab5dea4

SHA1
c49e255cea5f8f350ad0654b33426920a10a9f70

SHA256
af5d74f1b77f08ecc53cbb0f9375fae77e6ce89d8e8c0e01359a54ed26b1b572

SHA512
d26bca0c7ec207f48c8b9d9fdf9d9c3aa3a397a660ff36b6f1ec12570f44fe704e5d4202d92952f5535d00066779222ec4d8f777ea1408ab6dc76c57d0d1de80

Download Submit
memory/1672-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing