f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7

General

Target

f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe
Size

857KB
MD5

6d6104c22c2630bb1798407546caed50
SHA1

a510aeddc991e4d904c30097fe493177c408bb9a
SHA256

f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7
SHA512

da2ca886c8aca0e473f4b533f17dfa41bed6c053745f4873757c0491638c75bdc982666a1095a774bbf98bd6e0deb00e4493dbd4fc90f5d2538fb322623e6e1b
SSDEEP

24576:i82jORkcZ4RS3BKYjf61goQtdDu9n10BWs5W/yRplEe2rzaGg:32XIrwg1/C1wWsI/yzlEe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1144	indefender.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe
1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	indefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\indefender.exe"	indefender.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	indefender.exe
File opened (read-only)	\??\J:	indefender.exe
File opened (read-only)	\??\O:	indefender.exe
File opened (read-only)	\??\Q:	indefender.exe
File opened (read-only)	\??\S:	indefender.exe
File opened (read-only)	\??\Y:	indefender.exe
File opened (read-only)	\??\E:	indefender.exe
File opened (read-only)	\??\H:	indefender.exe
File opened (read-only)	\??\U:	indefender.exe
File opened (read-only)	\??\V:	indefender.exe
File opened (read-only)	\??\W:	indefender.exe
File opened (read-only)	\??\X:	indefender.exe
File opened (read-only)	\??\Z:	indefender.exe
File opened (read-only)	\??\F:	indefender.exe
File opened (read-only)	\??\L:	indefender.exe
File opened (read-only)	\??\M:	indefender.exe
File opened (read-only)	\??\N:	indefender.exe
File opened (read-only)	\??\R:	indefender.exe
File opened (read-only)	\??\T:	indefender.exe
File opened (read-only)	\??\G:	indefender.exe
File opened (read-only)	\??\K:	indefender.exe
File opened (read-only)	\??\P:	indefender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	indefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe
1144	indefender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	indefender.exe
1144	indefender.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1144	1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe	27
PID 1588 wrote to memory of 1144	1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe	27
PID 1588 wrote to memory of 1144	1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe	27
PID 1588 wrote to memory of 1144	1588	f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe	27

C:\Users\Admin\AppData\Local\Temp\f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe
"C:\Users\Admin\AppData\Local\Temp\f66ed974b9ed7b355b446a5a17650753eff55e0eacdb2ec7b7966738530fd7d7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588
- C:\ProgramData\indefender.exe
  C:\ProgramData\indefender.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\indefender.exe

Filesize
831KB

MD5
e895adfc9f4326d916039fbe55ff5cdf

SHA1
10cd2ca6b5df4937dcc4f403dc1bc3dfff85aea6

SHA256
d0781c9b7d269e7ff5ef2434ab55296375bc7d77416ea04b42294d32e31a3923

SHA512
4af1f52998d06e9e0e0438349e80a5b25ba20261e228fa900f70c2e6a84909b700a52c1279439110ff624dc29f6ff19dcbbc7c90aa6563b3fad9bc88c4f338fd

Download Submit
\ProgramData\indefender.exe

Filesize
831KB

MD5
e895adfc9f4326d916039fbe55ff5cdf

SHA1
10cd2ca6b5df4937dcc4f403dc1bc3dfff85aea6

SHA256
d0781c9b7d269e7ff5ef2434ab55296375bc7d77416ea04b42294d32e31a3923

SHA512
4af1f52998d06e9e0e0438349e80a5b25ba20261e228fa900f70c2e6a84909b700a52c1279439110ff624dc29f6ff19dcbbc7c90aa6563b3fad9bc88c4f338fd

Download Submit
\ProgramData\indefender.exe

Filesize
831KB

MD5
e895adfc9f4326d916039fbe55ff5cdf

SHA1
10cd2ca6b5df4937dcc4f403dc1bc3dfff85aea6

SHA256
d0781c9b7d269e7ff5ef2434ab55296375bc7d77416ea04b42294d32e31a3923

SHA512
4af1f52998d06e9e0e0438349e80a5b25ba20261e228fa900f70c2e6a84909b700a52c1279439110ff624dc29f6ff19dcbbc7c90aa6563b3fad9bc88c4f338fd

Download Submit
memory/1144-62-0x0000000000400000-0x0000000000A0F000-memory.dmp

Filesize
6.1MB

Download
memory/1144-64-0x0000000000400000-0x0000000000A0F000-memory.dmp

Filesize
6.1MB

Download
memory/1144-65-0x0000000000400000-0x0000000000A0F000-memory.dmp

Filesize
6.1MB

Download
memory/1588-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1588-55-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1588-56-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing