1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62

General

Target

1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe
Size

124KB
MD5

09a0ce158e62b384788c93cd8d43ac79
SHA1

5b4f0030ade06db01043eeb3cabf240d2aabc71d
SHA256

1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62
SHA512

44efdb0c2f8cca0c2c9cd12882f7d23ebd8192a94a5acf0905381884c872716100d44d48623a86f89edc3f10a075ade07d1205471ad1d06375b1fec768d7570a
SSDEEP

3072:cEnzDuye7G008/yObs7jbGDIuNoS5PPF7DSpOO:L3NuyObIas6oAP9LO

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
1348	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\ProgramData\\msconfig\\session.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\ProgramData\\msconfig\\session.exe"	smss.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	smss.exe
File opened for modification	C:\autorun.inf	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1780	reg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1316	1348	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	27
PID 1348 wrote to memory of 1316	1348	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	27
PID 1348 wrote to memory of 1316	1348	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	27
PID 1348 wrote to memory of 1316	1348	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	27
PID 1316 wrote to memory of 1480	1316	smss.exe	29
PID 1316 wrote to memory of 1480	1316	smss.exe	29
PID 1316 wrote to memory of 1480	1316	smss.exe	29
PID 1316 wrote to memory of 1480	1316	smss.exe	29
PID 1480 wrote to memory of 1780	1480	cmd.exe	31
PID 1480 wrote to memory of 1780	1480	cmd.exe	31
PID 1480 wrote to memory of 1780	1480	cmd.exe	31
PID 1480 wrote to memory of 1780	1480	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe
"C:\Users\Admin\AppData\Local\Temp\1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\ProgramData\msconfig\smss.exe
  "C:\ProgramData\msconfig\smss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msconfig\smss.exe

Filesize
124KB

MD5
09a0ce158e62b384788c93cd8d43ac79

SHA1
5b4f0030ade06db01043eeb3cabf240d2aabc71d

SHA256
1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62

SHA512
44efdb0c2f8cca0c2c9cd12882f7d23ebd8192a94a5acf0905381884c872716100d44d48623a86f89edc3f10a075ade07d1205471ad1d06375b1fec768d7570a

Download Submit
C:\ProgramData\msconfig\smss.exe

Filesize
124KB

MD5
09a0ce158e62b384788c93cd8d43ac79

SHA1
5b4f0030ade06db01043eeb3cabf240d2aabc71d

SHA256
1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62

SHA512
44efdb0c2f8cca0c2c9cd12882f7d23ebd8192a94a5acf0905381884c872716100d44d48623a86f89edc3f10a075ade07d1205471ad1d06375b1fec768d7570a

Download Submit
\ProgramData\msconfig\smss.exe

Filesize
124KB

MD5
09a0ce158e62b384788c93cd8d43ac79

SHA1
5b4f0030ade06db01043eeb3cabf240d2aabc71d

SHA256
1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62

SHA512
44efdb0c2f8cca0c2c9cd12882f7d23ebd8192a94a5acf0905381884c872716100d44d48623a86f89edc3f10a075ade07d1205471ad1d06375b1fec768d7570a

Download Submit
memory/1316-61-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1316-62-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1348-60-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads