06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6

General

Target

06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
Size

97KB
MD5

b42e9fd553c56d237b7f4108fd3a300b
SHA1

5d4c5f97bccc014c301f2b8e60991944c0b9fe4d
SHA256

06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6
SHA512

d93b6527a47899bb6edf056f6078971ec9706d30c99e22697a6a043461f1193ca6d89591ea7dae9f289c2a3ec098fe3adb320e1e8bd686e263cece8546ba957b
SSDEEP

1536:k2QVxKF0WN7VU5igbxGyAjsA8uNayVulLDvr1RH7pnGjLjx/QkqMG7:3Yjo7VZ+NAjfpVulLDjbILjx/QkqMA

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\03D3273E\ImagePath = "system32\\03D3273E.sys"	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\drmkaud\ImagePath = "Base"	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\drmkaud\ImagePath = "system32\\drmkaud.sys"	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Deletes itself 1 IoCs

pid	Process
708	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
652	Svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\30EE04F4.tmp	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
File opened for modification	C:\Windows\SysWOW64\03D3273E.sys	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
File opened for modification	C:\Windows\SysWOW64\7FAE1DC0.sys	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\KB2536276666.log	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 708	964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe	29
PID 964 wrote to memory of 708	964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe	29
PID 964 wrote to memory of 708	964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe	29
PID 964 wrote to memory of 708	964	06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe	29

C:\Users\Admin\AppData\Local\Temp\06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe
"C:\Users\Admin\AppData\Local\Temp\06ddea2636416706b0465622e88e8056fe73c3c43dcf80748e35ff9d1e5361b6.exe"
1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\08b9494b.bat" "
  2⤵
  - Deletes itself
  PID:708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1340

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08b9494b.bat

Filesize
303B

MD5
2a06e4dcb92bde1099f198b4ac0defac

SHA1
0f58e9c997298c88e7e4c6cd7228c985358dddee

SHA256
6566b9f6476d449c528a2ab6bbf0cc07ac8c93b23cbe2172aec0b6d8d84d47c2

SHA512
2c6f0a375fffc38fc431125aee530a315448a355a6a3aa7392f79412596f4008ed30f6eeb45c01435bf0492aa2fb11095e1925a5d3615ffce96377efdd380e7c

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
25KB

MD5
aa506e559f4c2f1f48a2050304c36ca4

SHA1
39b17e9691a554954c1098e776c6f18326c62b34

SHA256
fe89d9c3e872db0ab6b197d2809b614de61eac14eeaee685d5095ba9b8f8178f

SHA512
feb11b759277edb136610bdf862cb476abf2332990d6baca6d3b11654be1a23437ffc2f29a97794853f1bd4770102ec3ebac45db36516a3cdb71bcb78b362737

Download Submit
\Windows\SysWOW64\30EE04F4.tmp

Filesize
97KB

MD5
32b239250caac2b742653e9de5fa807a

SHA1
e85633f19920732e71905c30348b986e8dcf78b2

SHA256
ade51fe4578bfd39bbf2a5a3163c04e364c7b8cb1c5351b015eb65157fc2f77a

SHA512
040cbcdf98bdd4040488b0e6304c160ed9703f66d42636d104a0959a69f6b7ac867e902f7e47a1566b05fe7e73fecf239b254658841858595cbe6b315bc38cee

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
25KB

MD5
aa506e559f4c2f1f48a2050304c36ca4

SHA1
39b17e9691a554954c1098e776c6f18326c62b34

SHA256
fe89d9c3e872db0ab6b197d2809b614de61eac14eeaee685d5095ba9b8f8178f

SHA512
feb11b759277edb136610bdf862cb476abf2332990d6baca6d3b11654be1a23437ffc2f29a97794853f1bd4770102ec3ebac45db36516a3cdb71bcb78b362737

Download Submit
memory/964-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/964-56-0x0000000002600000-0x0000000006600000-memory.dmp

Filesize
64.0MB

Download
memory/964-57-0x00000000763B0000-0x0000000076410000-memory.dmp

Filesize
384KB

Download
memory/964-58-0x0000000002600000-0x0000000006600000-memory.dmp

Filesize
64.0MB

Download
memory/964-59-0x00000000763B0000-0x0000000076410000-memory.dmp

Filesize
384KB

Download
memory/964-64-0x00000000763B0000-0x0000000076410000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads