b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

General

Target

b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe
Size

856KB
MD5

70468606a8a9d89f3a072356b9a36ff0
SHA1

498c188f02cb551c76aae3b0a9d8854e2d228cbb
SHA256

b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8
SHA512

edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550
SSDEEP

12288:dNOVvQ08oa2FzG7ABq7bu24yyAZq45GtWobcVnSGtF+ZwKgxvNofc581kScMP00h:nOVAqFq7x7bu2XhYcoAnSQdvNqkS40

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
984	582103.exe

Deletes itself 1 IoCs

pid	Process
1160	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1160	cmd.exe
1160	cmd.exe
984	582103.exe
984	582103.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\582103 = "\"C:\\Users\\Admin\\AppData\\Local\\582103.exe\" 0 21 "	582103.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8 = "\"C:\\Users\\Admin\\AppData\\Local\\582103.exe\" 0 22 "	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	582103.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1476	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
984	582103.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe
984	582103.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1160	1424	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe	26
PID 1424 wrote to memory of 1160	1424	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe	26
PID 1424 wrote to memory of 1160	1424	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe	26
PID 1424 wrote to memory of 1160	1424	b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe	26
PID 1160 wrote to memory of 1476	1160	cmd.exe	28
PID 1160 wrote to memory of 1476	1160	cmd.exe	28
PID 1160 wrote to memory of 1476	1160	cmd.exe	28
PID 1160 wrote to memory of 1476	1160	cmd.exe	28
PID 1160 wrote to memory of 984	1160	cmd.exe	29
PID 1160 wrote to memory of 984	1160	cmd.exe	29
PID 1160 wrote to memory of 984	1160	cmd.exe	29
PID 1160 wrote to memory of 984	1160	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe
"C:\Users\Admin\AppData\Local\Temp\b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7426700848.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8 /f
    3⤵
    - Modifies registry key
    PID:1476
- - C:\Users\Admin\AppData\Local\582103.exe
    C:\Users\Admin\AppData\Local\582103.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
C:\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
C:\Users\Admin\AppData\Local\Temp\7426700848.bat

Filesize
456B

MD5
8a468f7940efd25be0f2f8906b556596

SHA1
5dff12d3e1711a9549eceaec2a1130e4b5782ce4

SHA256
cf109beba7d47373bd55272a5abbef542e98bc56675c4ee3609f53ed89d71270

SHA512
b5d05d7fac8696d2ffb722bdb19e4e395b238bee4b71ba4dc35ed381bba32ad627a8084d5ef47d8c3b9edcf65949bdcc02e0ae27364953c79ee2196bd1d38d4a

Download Submit
\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
\Users\Admin\AppData\Local\582103.exe

Filesize
856KB

MD5
70468606a8a9d89f3a072356b9a36ff0

SHA1
498c188f02cb551c76aae3b0a9d8854e2d228cbb

SHA256
b0e23b57b00d2d60845c57c8b712b06fc2b04c4c772ed12ae6ff4da55f6edaf8

SHA512
edec75128fa8359e365f851833dfbecb2797157569e2a1b2a00667d658888e278fd9683e1d0a5a5ecde690502ff74c577f0ab9154e0f48c3ff5eaa64452b4550

Download Submit
memory/984-68-0x0000000001000000-0x0000000001439FF4-memory.dmp

Filesize
4.2MB

Download
memory/984-69-0x0000000000350000-0x00000000003B9000-memory.dmp

Filesize
420KB

Download
memory/984-71-0x0000000001000000-0x0000000001439FF4-memory.dmp

Filesize
4.2MB

Download
memory/984-72-0x0000000000350000-0x00000000003B9000-memory.dmp

Filesize
420KB

Download
memory/1424-58-0x0000000001000000-0x0000000001439FF4-memory.dmp

Filesize
4.2MB

Download
memory/1424-56-0x0000000000630000-0x0000000000699000-memory.dmp

Filesize
420KB

Download
memory/1424-55-0x0000000001000000-0x0000000001439FF4-memory.dmp

Filesize
4.2MB

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads