66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

General

Target

66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
Size

48KB
MD5

776967505dde899169b6b19bd00ad240
SHA1

1fc9e2c0ce9294e268055db4e91962efd85cf575
SHA256

66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7
SHA512

20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a
SSDEEP

1536:mrPKVrZ8A1zBMx84USXZEIo8/Wfsg3Tt2l:mrPKVZzMKAWfHh2l

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4276	SVCHOST.EXE
1512	MDM.EXE
4068	SVCHOST.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MDM.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SVCHOST.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	MDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVCHOST = "C:\\Windows\\MDM.EXE"	MDM.EXE

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	SVCHOST.EXE
File created	C:\AutoRun.inf	SVCHOST.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MDM.EXE	SVCHOST.EXE
File opened for modification	C:\WINDOWS\SVCHOST.EXE	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
File created	C:\WINDOWS\SVCHOST.EXE	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
File opened for modification	C:\Windows\SVCHOST.INI	SVCHOST.EXE
File created	C:\Windows\MDM.EXE	SVCHOST.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4276	4800	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	83
PID 4800 wrote to memory of 4276	4800	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	83
PID 4800 wrote to memory of 4276	4800	66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe	83
PID 4276 wrote to memory of 1512	4276	SVCHOST.EXE	91
PID 4276 wrote to memory of 1512	4276	SVCHOST.EXE	91
PID 4276 wrote to memory of 1512	4276	SVCHOST.EXE	91
PID 1512 wrote to memory of 4068	1512	MDM.EXE	92
PID 1512 wrote to memory of 4068	1512	MDM.EXE	92
PID 1512 wrote to memory of 4068	1512	MDM.EXE	92

C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe
"C:\Users\Admin\AppData\Local\Temp\66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4800
- C:\WINDOWS\SVCHOST.EXE
  "C:\WINDOWS\SVCHOST.EXE"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\MDM.EXE
    "C:\Windows\MDM.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SVCHOST.EXE
      "C:\Windows\SVCHOST.EXE"
      4⤵
      Executes dropped EXE
      PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\MDM.EXE

Filesize
21KB

MD5
150f08b99a4eca5a587cd7aa924eeb90

SHA1
587ce4e5eb4e743bd9a2989f8ba90c4811fd3e2a

SHA256
0d60759b7c416db3edde6c64ad44c98b98cef36b6264a2322b1def49631b4b35

SHA512
08871bb83ffac34b9369f620dccbbcc929c1d8ff982369efc26e4f038032c7182748283ba89c5e4553eddbd1d0a6d98dacca08c4a835cb53388a50085063301c

Download Submit
C:\Windows\MDM.EXE

Filesize
21KB

MD5
150f08b99a4eca5a587cd7aa924eeb90

SHA1
587ce4e5eb4e743bd9a2989f8ba90c4811fd3e2a

SHA256
0d60759b7c416db3edde6c64ad44c98b98cef36b6264a2322b1def49631b4b35

SHA512
08871bb83ffac34b9369f620dccbbcc929c1d8ff982369efc26e4f038032c7182748283ba89c5e4553eddbd1d0a6d98dacca08c4a835cb53388a50085063301c

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\SVCHOST.EXE

Filesize
48KB

MD5
776967505dde899169b6b19bd00ad240

SHA1
1fc9e2c0ce9294e268055db4e91962efd85cf575

SHA256
66e1f900ed8878fc6c11e84c3c75d0fc6efe6e83408427d4454e52cd664002e7

SHA512
20f7cf3ff79a60e2c6fc27ba7dde3a86ccb0f297cd2884af1d9eec11636c3bad345f79136ed3eb79788ad117ae354bc170c1d360e1fb3b907f3a18e7a4109a4a

Download Submit
C:\Windows\SVCHOST.INI

Filesize
43B

MD5
18cd72eb03c2715b0efa52d399e0656a

SHA1
0c6fed02c00f3c08ae76fa32a4bef34b17d1d205

SHA256
3fc52efc8789c1dca1fcda8faa1b8b958330af9bdddfbf59c03619530cea11b9

SHA512
5b4cfc03d52d31f54119da54bd62e615325a6d19fdc1648bee08afc769636e19633c341d3520a08556ef7e107b6b73e026f628d4fc5456ebd85f31a5693d4ff7

Download Submit
memory/1512-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1512-146-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4068-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4276-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4800-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4800-136-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads