b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81

General

Target

b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe
Size

427KB
MD5

671e5eed1b9a0b2f6f950f23037473a0
SHA1

1fb7f7001aa848a68cf79f807f53350245400348
SHA256

b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81
SHA512

722e8da97d456b2efd37ad98f77fc787186b6c7f9b06027679b7840f53ccc880d272d89cf1ee222a0d7ddb65fb7bd884fb6a215fcf9526143d55a0b62c015316
SSDEEP

12288:QEUdvDUvtDjMnIx4RZXW+fac4v0exn6nee:QEuvDqtvMq+falzxnme

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1356	335.exe
628	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
908	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe
1356	335.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
628	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	Trojan.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1356	1096	b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe	29
PID 1096 wrote to memory of 1356	1096	b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe	29
PID 1096 wrote to memory of 1356	1096	b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe	29
PID 1096 wrote to memory of 1356	1096	b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe	29
PID 1356 wrote to memory of 628	1356	335.exe	30
PID 1356 wrote to memory of 628	1356	335.exe	30
PID 1356 wrote to memory of 628	1356	335.exe	30
PID 1356 wrote to memory of 628	1356	335.exe	30
PID 628 wrote to memory of 908	628	Trojan.exe	31
PID 628 wrote to memory of 908	628	Trojan.exe	31
PID 628 wrote to memory of 908	628	Trojan.exe	31
PID 628 wrote to memory of 908	628	Trojan.exe	31

C:\Users\Admin\AppData\Local\Temp\b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe
"C:\Users\Admin\AppData\Local\Temp\b987bf45237e113f794aae75da3cfc5950131e64f28eb4fa8b254c90cb660e81.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\335.exe
  C:\Users\Admin\AppData\Local\Temp\335.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\335.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\335.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
\Users\Admin\AppData\Local\Temp\335.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
137KB

MD5
783c80e57ebb7c6449d8340d34c6defa

SHA1
944af955a0d540e4dac8c03c40470b1d66103129

SHA256
528ab9931279550c1da15cbdd9fc51503ac13be0c1eb501c343ba0c6be4f2bb8

SHA512
1891a457385bd14674466aa9e539693172dd237fcb70e163275aa7fcdab3730a3b50e25eaa9322bb6758d7ce1dd6ce6cfc3686a8101da6b33c533f70a2e53acb

Download Submit
memory/628-68-0x00000000714F0000-0x0000000071A9B000-memory.dmp

Filesize
5.7MB

Download
memory/628-69-0x00000000714F0000-0x0000000071A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-54-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1356-59-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1356-66-0x00000000714F0000-0x0000000071A9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing