d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

General

Target

d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
Size

118KB
MD5

46e640cea40217f1b8cd582184c798b3
SHA1

728bb6be9a60b3d773ee1ac01e68c3454d386c68
SHA256

d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053
SHA512

b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c
SSDEEP

1536:BiwR7wjJltueHk5Z6BnZIpDkYeL0tALm/3C2hktkJxUe+9/nwodoYUoyJKrFVfo:39eJlMv5UypnGyALN+xU9ntnUoyefo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\showsuperhidden = "0"	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\showsuperhidden = "0"	msnmsgr.exe

Executes dropped EXE 2 IoCs

pid	Process
1784	msnmsgr.exe
976	msnmsgr.exe

Loads dropped DLL 4 IoCs

pid	Process
1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Accelerator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System Root Certificates\\msnmsgr.exe"	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Accelerator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System Root Certificates\\msnmsgr.exe"	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Accelerator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System Root Certificates\\msnmsgr.exe"	msnmsgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	msnmsgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Accelerator = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\System Root Certificates\\msnmsgr.exe"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1784 set thread context of 976	1784	msnmsgr.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1672 wrote to memory of 1720	1672	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	27
PID 1720 wrote to memory of 1784	1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	28
PID 1720 wrote to memory of 1784	1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	28
PID 1720 wrote to memory of 1784	1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	28
PID 1720 wrote to memory of 1784	1720	d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe	28
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29
PID 1784 wrote to memory of 976	1784	msnmsgr.exe	29

C:\Users\Admin\AppData\Local\Temp\d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
"C:\Users\Admin\AppData\Local\Temp\d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
  C:\Users\Admin\AppData\Local\Temp\d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe" ybu
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\System Root Certificates\msnmsgr.exe

Filesize
118KB

MD5
46e640cea40217f1b8cd582184c798b3

SHA1
728bb6be9a60b3d773ee1ac01e68c3454d386c68

SHA256
d13a21f28f5008e2ff4ff40776b7e2a10196b6986c28c4ed1bea1a047987e053

SHA512
b5d23f6c6b266eec425e749efcfedaaa544397ede2ba32d0bcc1691eb30efcd684fe476167150b22524d5c9a16feaf7a15107667155024e03eddc6b273121e9c

Download Submit
memory/976-87-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/976-82-0x000000000040B09C-mapping.dmp

Download
memory/1720-61-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-66-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-64-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1720-62-0x000000000040B09C-mapping.dmp

Download
memory/1720-54-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-59-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-57-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1720-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1784-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads