d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d

General

Target

d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
Size

208KB
MD5

44e6c1dc066a435827334a86b5e7c510
SHA1

d8e77c35ad3a6d29acf3bc80d16f726d0ca86805
SHA256

d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d
SHA512

d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b
SSDEEP

768:RPf7NTc7cJldamwwTA1n7//9ezT7lsPvL76gjK4ZogFA:9TJlcHnr4ePf6gjK4P

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
972	microsft.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
320	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\72319aa961570a0617ca539066f2af77.exe	microsft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\72319aa961570a0617ca539066f2af77.exe	microsft.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\72319aa961570a0617ca539066f2af77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsft.exe\" .."	microsft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72319aa961570a0617ca539066f2af77 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\microsft.exe\" .."	microsft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\3.exe"	d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\3.exe"	microsft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe
972	microsft.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	microsft.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 972	2032	d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe	26
PID 2032 wrote to memory of 972	2032	d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe	26
PID 2032 wrote to memory of 972	2032	d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe	26
PID 972 wrote to memory of 320	972	microsft.exe	27
PID 972 wrote to memory of 320	972	microsft.exe	27
PID 972 wrote to memory of 320	972	microsft.exe	27

C:\Users\Admin\AppData\Local\Temp\d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe
"C:\Users\Admin\AppData\Local\Temp\d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\microsft.exe
  "C:\Users\Admin\AppData\Local\Temp\microsft.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\microsft.exe" "microsft.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\microsft.exe

Filesize
208KB

MD5
44e6c1dc066a435827334a86b5e7c510

SHA1
d8e77c35ad3a6d29acf3bc80d16f726d0ca86805

SHA256
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d

SHA512
d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsft.exe

Filesize
208KB

MD5
44e6c1dc066a435827334a86b5e7c510

SHA1
d8e77c35ad3a6d29acf3bc80d16f726d0ca86805

SHA256
d283fe80b943bc85fb9891878e7ad68518f19bba094a152545e80d5100dd7a3d

SHA512
d8ef8cf0e935e0a4b73f6b1882a7238b4401974ab19126674de01956ede1832a5df7a86a032befa553a2a8878a269564dcd4d10d1c937b4ee29cc9759b82dd4b

Download Submit
memory/972-60-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp

Filesize
10.1MB

Download
memory/972-61-0x000007FEF3800000-0x000007FEF4896000-memory.dmp

Filesize
16.6MB

Download
memory/972-64-0x00000000003D6000-0x00000000003F5000-memory.dmp

Filesize
124KB

Download
memory/972-65-0x00000000003D6000-0x00000000003F5000-memory.dmp

Filesize
124KB

Download
memory/2032-54-0x000007FEF48A0000-0x000007FEF52C3000-memory.dmp

Filesize
10.1MB

Download
memory/2032-55-0x000007FEF3800000-0x000007FEF4896000-memory.dmp

Filesize
16.6MB

Download
memory/2032-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing