1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7

General

Target

1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
Size

841KB
MD5

445ae5da5b5ee37e7b5a636be7b5e150
SHA1

e8ed7e37ddd343e31324070db6d7296daf57d912
SHA256

1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7
SHA512

5292191698bf70d146331679697159f3aed36a53d2de4ea0fdd4c3fa3f0e2f09ed076e69306fe94187268fc492008fb041d9548370c4bd88a27846e9e7ad261d
SSDEEP

12288:lnqXRRt2NZ3YVS6B7sIs6bhlNo9moemYLlI+EzZSaG3AZd8+5a1xDx:lnQt2NZ+SSds6Pq9mmgzEzZ6Kf2Zx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2024	cleansweep.exe
724	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
2024	cleansweep.exe
2024	cleansweep.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\svchost.exe"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	724	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2024	832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	28
PID 832 wrote to memory of 2024	832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	28
PID 832 wrote to memory of 2024	832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	28
PID 832 wrote to memory of 2024	832	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	28
PID 2024 wrote to memory of 724	2024	cleansweep.exe	29
PID 2024 wrote to memory of 724	2024	cleansweep.exe	29
PID 2024 wrote to memory of 724	2024	cleansweep.exe	29
PID 2024 wrote to memory of 724	2024	cleansweep.exe	29

C:\Users\Admin\AppData\Local\Temp\1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
"C:\Users\Admin\AppData\Local\Temp\1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\cleansweep.exe
  "C:\Users\Admin\AppData\Local\Temp\cleansweep.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Local\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
memory/724-66-0x0000000000000000-mapping.dmp

Download
memory/832-63-0x0000000001070000-0x0000000001490000-memory.dmp

Filesize
4.1MB

Download
memory/832-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000001070000-0x0000000001490000-memory.dmp

Filesize
4.1MB

Download
memory/832-55-0x0000000001070000-0x0000000001490000-memory.dmp

Filesize
4.1MB

Download
memory/2024-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing