30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621

General

Target

30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe
Size

44KB
MD5

54ee976b1768e9e332394e7de631feaa
SHA1

633fb759cdba5c4679b3c1fd27b211c46353f303
SHA256

30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621
SHA512

ce971b6544540dbfc69b23b359e8dbf8b260f9c0d10010426abf5d58aa09d3fc57ff62bd9eeb854a1e75828ce0f1f3bcd14e9958ef5eb917b05d10427297f1ea
SSDEEP

768:JiSrB8yBUvsISCKzvKbax5nW26N581Y6HujHWUqvtq1QzwF125gNpCsWvEnadYIs:tZ5jpNuoWjwgMvEnaKIT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
684	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2036	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
684	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	Trojan.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 684	1676	30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe	30
PID 1676 wrote to memory of 684	1676	30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe	30
PID 1676 wrote to memory of 684	1676	30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe	30
PID 1676 wrote to memory of 684	1676	30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe	30
PID 684 wrote to memory of 2036	684	Trojan.exe	28
PID 684 wrote to memory of 2036	684	Trojan.exe	28
PID 684 wrote to memory of 2036	684	Trojan.exe	28
PID 684 wrote to memory of 2036	684	Trojan.exe	28

C:\Users\Admin\AppData\Local\Temp\30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe
"C:\Users\Admin\AppData\Local\Temp\30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
44KB

MD5
54ee976b1768e9e332394e7de631feaa

SHA1
633fb759cdba5c4679b3c1fd27b211c46353f303

SHA256
30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621

SHA512
ce971b6544540dbfc69b23b359e8dbf8b260f9c0d10010426abf5d58aa09d3fc57ff62bd9eeb854a1e75828ce0f1f3bcd14e9958ef5eb917b05d10427297f1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
44KB

MD5
54ee976b1768e9e332394e7de631feaa

SHA1
633fb759cdba5c4679b3c1fd27b211c46353f303

SHA256
30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621

SHA512
ce971b6544540dbfc69b23b359e8dbf8b260f9c0d10010426abf5d58aa09d3fc57ff62bd9eeb854a1e75828ce0f1f3bcd14e9958ef5eb917b05d10427297f1ea

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
44KB

MD5
54ee976b1768e9e332394e7de631feaa

SHA1
633fb759cdba5c4679b3c1fd27b211c46353f303

SHA256
30e4b39310182374314113ffd59153eaee3378b091790ca15e4e1df0fa278621

SHA512
ce971b6544540dbfc69b23b359e8dbf8b260f9c0d10010426abf5d58aa09d3fc57ff62bd9eeb854a1e75828ce0f1f3bcd14e9958ef5eb917b05d10427297f1ea

Download Submit
memory/684-63-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/684-64-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1676-61-0x0000000074C30000-0x00000000751DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing