66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

General

Target

66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
Size

48KB
MD5

776967505dde899169b6b19bd00ad240
SHA1

1fc9e2c0ce9294e268055db4e91962efd85cf575
SHA256

66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
SHA512

20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
SSDEEP

1536:mrPKVrZ8A1zBMx84USXZEIo8/Wfsg3Tt2l:mrPKVZzMKAWfHh2l

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
996	SVCHOST.EXE
2032	MDM.EXE
580	SVCHOST.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "C:\\Windows\\MDM.EXE"	MDM.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	MDM.EXE

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\AutoRun.inf	SVCHOST.EXE
File opened for modification	C:\AutoRun.inf	SVCHOST.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SVCHOST.INI	SVCHOST.EXE
File created	C:\Windows\MDM.EXE	SVCHOST.EXE
File opened for modification	C:\Windows\MDM.EXE	SVCHOST.EXE
File opened for modification	C:\WINDOWS\SVCHOST.EXE	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
File created	C:\WINDOWS\SVCHOST.EXE	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 996	1880	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	28
PID 1880 wrote to memory of 996	1880	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	28
PID 1880 wrote to memory of 996	1880	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	28
PID 1880 wrote to memory of 996	1880	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	28
PID 996 wrote to memory of 2032	996	SVCHOST.EXE	29
PID 996 wrote to memory of 2032	996	SVCHOST.EXE	29
PID 996 wrote to memory of 2032	996	SVCHOST.EXE	29
PID 996 wrote to memory of 2032	996	SVCHOST.EXE	29
PID 2032 wrote to memory of 580	2032	MDM.EXE	30
PID 2032 wrote to memory of 580	2032	MDM.EXE	30
PID 2032 wrote to memory of 580	2032	MDM.EXE	30
PID 2032 wrote to memory of 580	2032	MDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
"C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880
- C:\WINDOWS\SVCHOST.EXE
  "C:\WINDOWS\SVCHOST.EXE"
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\MDM.EXE
    "C:\Windows\MDM.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SVCHOST.EXE
      "C:\Windows\SVCHOST.EXE"
      4⤵
      Executes dropped EXE
      PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\MDM.EXE

Filesize
21KB

MD5
150f08b99a4eca5a587cd7aa924eeb90

SHA1
587ce4e5eb4e743bd9a2989f8ba90c4811fd3e2a

SHA256
0d60759b7c416db3edde6c64ad44c98b98cef36b6264a2322b1def49631b4b35

SHA512
08871bb83ffac34b9369f620dccbbcc929c1d8ff982369efc26e4f038032c7182748283ba89c5e4553eddbd1d0a6d98dacca08c4a835cb53388a50085063301c

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\SVCHOST.INI

Filesize
43B

MD5
2bcd53a42c7b9d761467e7c87d4cd016

SHA1
4e0f79aadb057b2a1737963c969af4e017209d85

SHA256
864bfc9ad94aec3cfe18b552fcbc3cf88212075a0d8955507b18f40354f5d507

SHA512
19e5867647bc3966f2cf739a9a81ec3bfe464413af1e8f280b2a3610119a50e6ee5facd07f58e8e687626036a2f25d7b19d90eb522cb9d3127943bb7538533f0

Download Submit
memory/580-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-65-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/996-64-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1880-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2032-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads