ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372

General

Target

ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe
Size

598KB
MD5

4655a26bf1525ddd8c4ea566dd7d7a44
SHA1

3a0d36fcd6e79990131b9d6768bd7c65df95a62a
SHA256

ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372
SHA512

9419391adee3003c484fe5ea0093e2d81dc71eb8df9fbaa2b864bf6f70cc58bf7c7cc743311c33693d409a0c8d1080161144cb974635d1ebb518c7198e32bc3c
SSDEEP

6144:xrC7fhgeul2NGRZobaR8ie/FDuaQHqn9h7qduEIwqllG7sOC12C+g0PRToNvId32:tXbohVuA9wwXOnY0Z9N2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1124	Loader.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.emusic[1]	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.emusic[1]\ = "emusic[1]_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\emusic[1]_auto_file\shell	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1124	Loader.exe
1596	AcroRd32.exe
1596	AcroRd32.exe
1596	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 704	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	26
PID 1248 wrote to memory of 704	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	26
PID 1248 wrote to memory of 704	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	26
PID 1248 wrote to memory of 1124	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	27
PID 1248 wrote to memory of 1124	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	27
PID 1248 wrote to memory of 1124	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	27
PID 1248 wrote to memory of 1124	1248	ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe	27
PID 704 wrote to memory of 1596	704	rundll32.exe	28
PID 704 wrote to memory of 1596	704	rundll32.exe	28
PID 704 wrote to memory of 1596	704	rundll32.exe	28
PID 704 wrote to memory of 1596	704	rundll32.exe	28

C:\Users\Admin\AppData\Local\Temp\ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe
"C:\Users\Admin\AppData\Local\Temp\ce7f4ce77cbd36f17bc47ad0bd07c24d7ed08077b7cb8c57d64ea90869f19372.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\www.emusic[1]
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\www.emusic[1]"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1596
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
328KB

MD5
5bdbf23ce7b704af617cb2cfe1325426

SHA1
b15fa7e2cea98a3543fb5f9c4b64fc9aae92e1b4

SHA256
4ff80810f0d20d82d2a1c81055751705cab5a0ec8829a968574d8dd6f8f52e35

SHA512
0abc203a52894774f46dfd47cb6e9894864ddd3f9d1d481711d75a4a3ee31764a43e44747e47662b6b2fdb2b70d86daa44ee1080498b6be75cff6fd558e503ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
328KB

MD5
5bdbf23ce7b704af617cb2cfe1325426

SHA1
b15fa7e2cea98a3543fb5f9c4b64fc9aae92e1b4

SHA256
4ff80810f0d20d82d2a1c81055751705cab5a0ec8829a968574d8dd6f8f52e35

SHA512
0abc203a52894774f46dfd47cb6e9894864ddd3f9d1d481711d75a4a3ee31764a43e44747e47662b6b2fdb2b70d86daa44ee1080498b6be75cff6fd558e503ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\www.emusic[1]

Filesize
8KB

MD5
448962ee5300f841cdf1eaa2fd64ee03

SHA1
0abc701b211caf130e500fc378a36f604ea4817f

SHA256
e45e2ca6e66338e89da3818af0c4e9d6f1b95afb0330a84a734ebb02f6437307

SHA512
d6a8aeb58c0e481269825087a387b6c16413626846c5cacd1dc275ab603160757c7ea11dcf34068ec1ff044d57123369dba34b918e908273aad1857e04c9704d

Download Submit
memory/1248-54-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Filesize
10.1MB

Download
memory/1248-55-0x000007FEF28A0000-0x000007FEF3936000-memory.dmp

Filesize
16.6MB

Download
memory/1248-57-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1248-56-0x0000000000B76000-0x0000000000B95000-memory.dmp

Filesize
124KB

Download
memory/1248-62-0x0000000000B76000-0x0000000000B95000-memory.dmp

Filesize
124KB

Download
memory/1596-65-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing