e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d

General

Target

e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe
Size

141KB
MD5

a80001a59da4eb525233e32fd3f06193
SHA1

6be1089a3cbc467be9ea3553bd7224b4685dec3f
SHA256

e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d
SHA512

290f4f017e399cec154f92106e38f550e7310209f0e668d27407a32939d9ae483f0110a207ecac7a05176fe20252ca3fbe351b6d73d5c5449d8a59d0e7a5f5c7
SSDEEP

3072:h/qCqyVxBGAPaDXn6aS7wU388WP1imtD4yVVm/7Y+lFwBZQHS:hyCqMxBGAPaDXn6aFi889mF4yLo7bF4M

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	svchost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
700	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe
1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1352	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1352	1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe	26
PID 1552 wrote to memory of 1352	1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe	26
PID 1552 wrote to memory of 1352	1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe	26
PID 1552 wrote to memory of 1352	1552	e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe	26
PID 1352 wrote to memory of 700	1352	svchost.exe	27
PID 1352 wrote to memory of 700	1352	svchost.exe	27
PID 1352 wrote to memory of 700	1352	svchost.exe	27
PID 1352 wrote to memory of 700	1352	svchost.exe	27

C:\Users\Admin\AppData\Local\Temp\e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe
"C:\Users\Admin\AppData\Local\Temp\e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
141KB

MD5
a80001a59da4eb525233e32fd3f06193

SHA1
6be1089a3cbc467be9ea3553bd7224b4685dec3f

SHA256
e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d

SHA512
290f4f017e399cec154f92106e38f550e7310209f0e668d27407a32939d9ae483f0110a207ecac7a05176fe20252ca3fbe351b6d73d5c5449d8a59d0e7a5f5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
141KB

MD5
a80001a59da4eb525233e32fd3f06193

SHA1
6be1089a3cbc467be9ea3553bd7224b4685dec3f

SHA256
e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d

SHA512
290f4f017e399cec154f92106e38f550e7310209f0e668d27407a32939d9ae483f0110a207ecac7a05176fe20252ca3fbe351b6d73d5c5449d8a59d0e7a5f5c7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
141KB

MD5
a80001a59da4eb525233e32fd3f06193

SHA1
6be1089a3cbc467be9ea3553bd7224b4685dec3f

SHA256
e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d

SHA512
290f4f017e399cec154f92106e38f550e7310209f0e668d27407a32939d9ae483f0110a207ecac7a05176fe20252ca3fbe351b6d73d5c5449d8a59d0e7a5f5c7

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
141KB

MD5
a80001a59da4eb525233e32fd3f06193

SHA1
6be1089a3cbc467be9ea3553bd7224b4685dec3f

SHA256
e393f411ac989123b9599930fa7cd9a52d6bd49960850df547be38f085864b8d

SHA512
290f4f017e399cec154f92106e38f550e7310209f0e668d27407a32939d9ae483f0110a207ecac7a05176fe20252ca3fbe351b6d73d5c5449d8a59d0e7a5f5c7

Download Submit
memory/700-64-0x0000000000000000-mapping.dmp

Download
memory/1352-57-0x0000000000000000-mapping.dmp

Download
memory/1352-62-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1352-63-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1352-66-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1552-61-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing