c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88

General

Target

c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe
Size

158KB
MD5

307377df5de60955137d5bb130fe00f0
SHA1

355cb6156cb5a26b65b5fcbc2bbe6d811f07810e
SHA256

c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88
SHA512

6b74fcfef07ba1c54c7a95b09b180185466bf4c3c19116dc297fb45e961beb9507d5899733fd915a4af6f4b97e21c2c2dc0c499e04b8069f99e1958077956135
SSDEEP

3072:+nj91tfUQINndIc0J+oWRPI5GeV+2IS8SFOL6Q4Kt/9X+5th:+jrei9WOg1SHbu/B+5th

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	.Download-Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E38F4.exe.exe	.Download-Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E38F4.exe.exe	.Download-Server.exe

Loads dropped DLL 2 IoCs

pid	Process
1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe
1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	.Download-Server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1496	1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe	27
PID 1468 wrote to memory of 1496	1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe	27
PID 1468 wrote to memory of 1496	1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe	27
PID 1468 wrote to memory of 1496	1468	c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe	27
PID 1496 wrote to memory of 1160	1496	.Download-Server.exe	28
PID 1496 wrote to memory of 1160	1496	.Download-Server.exe	28
PID 1496 wrote to memory of 1160	1496	.Download-Server.exe	28
PID 1496 wrote to memory of 1160	1496	.Download-Server.exe	28
PID 1160 wrote to memory of 584	1160	net.exe	30
PID 1160 wrote to memory of 584	1160	net.exe	30
PID 1160 wrote to memory of 584	1160	net.exe	30
PID 1160 wrote to memory of 584	1160	net.exe	30

C:\Users\Admin\AppData\Local\Temp\c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe
"C:\Users\Admin\AppData\Local\Temp\c6fa0ae06b486d2b6c09f7de6d18902276dcc7de5fb481a1d1a93f710370bd88.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\.Download-Server.exe

Filesize
76KB

MD5
ca8c0aca646aae4a7029ae898efc346d

SHA1
785ca48171fd02481769f46d504897f025f42d41

SHA256
67ba1b63d2ccd57013b42cccc4bcfd4537c9cab98a128f1a1e365c86645a67c6

SHA512
7fbb337e5cb97a05217ac679523d926f213007d053d9823fa980b46ef091557be74c933034ff5ea3efb301915d00d6dfe60f8a7d39c54cdc6946ca0abac1223a

Download Submit
memory/1496-62-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing