ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630

General

Target

ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
Size

863KB
MD5

2aefe26eba53a75ca3b663545549f020
SHA1

9be4c98aaaf9669138a98fbd1008c82d35dbefb9
SHA256

ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630
SHA512

e6c82853bf943325ba49e767058750c5e5164ea38623d917f2fa46853df3425df3dc2dd96fb225349b87203855491361f5611c533f316117244900cd3fa85bd1
SSDEEP

12288:ti7TnKAB6uTsseXay+oD02kJvIqYXQ/byNZj6CGtp4juSl0I1whVIMHclz0/3Cgb:4xo2eKIFUIlXQ/sZ+alN1qd8B0/31

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1860	indefender.exe

Loads dropped DLL 2 IoCs

pid	Process
852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	indefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\indefender.exe"	indefender.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	indefender.exe
File opened (read-only)	\??\R:	indefender.exe
File opened (read-only)	\??\S:	indefender.exe
File opened (read-only)	\??\I:	indefender.exe
File opened (read-only)	\??\M:	indefender.exe
File opened (read-only)	\??\Y:	indefender.exe
File opened (read-only)	\??\Q:	indefender.exe
File opened (read-only)	\??\W:	indefender.exe
File opened (read-only)	\??\K:	indefender.exe
File opened (read-only)	\??\P:	indefender.exe
File opened (read-only)	\??\T:	indefender.exe
File opened (read-only)	\??\U:	indefender.exe
File opened (read-only)	\??\V:	indefender.exe
File opened (read-only)	\??\G:	indefender.exe
File opened (read-only)	\??\J:	indefender.exe
File opened (read-only)	\??\H:	indefender.exe
File opened (read-only)	\??\L:	indefender.exe
File opened (read-only)	\??\O:	indefender.exe
File opened (read-only)	\??\X:	indefender.exe
File opened (read-only)	\??\Z:	indefender.exe
File opened (read-only)	\??\E:	indefender.exe
File opened (read-only)	\??\F:	indefender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	indefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe
1860	indefender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1860	indefender.exe
1860	indefender.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1860	852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe	27
PID 852 wrote to memory of 1860	852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe	27
PID 852 wrote to memory of 1860	852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe	27
PID 852 wrote to memory of 1860	852	ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe	27

C:\Users\Admin\AppData\Local\Temp\ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe
"C:\Users\Admin\AppData\Local\Temp\ff8bbb7ac6f668befbb9b91ef9e3b5b792a1459436423a12996771df2982b630.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:852
- C:\ProgramData\indefender.exe
  C:\ProgramData\indefender.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\indefender.exe

Filesize
836KB

MD5
06da0c5c19a0b3f33321abec211b642a

SHA1
1d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9

SHA256
b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1

SHA512
dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071

Download Submit
\ProgramData\indefender.exe

Filesize
836KB

MD5
06da0c5c19a0b3f33321abec211b642a

SHA1
1d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9

SHA256
b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1

SHA512
dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071

Download Submit
\ProgramData\indefender.exe

Filesize
836KB

MD5
06da0c5c19a0b3f33321abec211b642a

SHA1
1d3bfecbd67d35a47b4f56d264bd481ff8f7f3e9

SHA256
b93712a07bf740e87d869772097d673b122d648df6cc123855206df39c3662f1

SHA512
dd55dd124ae483f3bf64fc4eca5d13f17330c5d4002188613ea4c6db4327c9d779cc4f1259ff048494d4f53d0030dd7cfdcd268f515b9addd6b5c8e1e5fa8071

Download Submit
memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/852-55-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/852-63-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1860-61-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/1860-64-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/1860-65-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing