6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558

General

Target

6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
Size

230KB
MD5

0acd91a009e0c96a5bf5289cc85e0640
SHA1

af660ab81cda94ff642ffad5f07cf54f7a60b322
SHA256

6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558
SHA512

f99c46265bbd83c49a026810d655e60ca5a721766cf1593698198e75525d31e5e5918f8110c500eda62d7737aed8cab3c7f1f2029d4b98bc800af8d75f11c1d6
SSDEEP

6144:/Xt/dERx5UhJABr2szc+lJ2uIMkWrYz0eU2Dy:V/CxGw2sA+L2uIpWr+CCy

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
File created	C:\Windows\System32\drivers\etc\hosts.ics	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4800	taskkill.exe
1060	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomStorageState	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomStorageState\EdpCleanupState = "0"	RunDll32.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133114771721529257"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-19	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheVersion = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheLimit = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Extensible Cache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CacheVersion = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DOMStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\EdpDomStorage	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Explorer\DomStorageState	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheVersion = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CacheLimit = "51200"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Cookies\CacheLimit = "1"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2212	rundll32.exe
Token: SeDebugPrivilege	2212	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
4296	RunDll32.exe
4636	RunDll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4800	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	82
PID 2300 wrote to memory of 4800	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	82
PID 2300 wrote to memory of 4800	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	82
PID 2300 wrote to memory of 4636	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	85
PID 2300 wrote to memory of 4636	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	85
PID 2300 wrote to memory of 4636	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	85
PID 2300 wrote to memory of 4296	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	86
PID 2300 wrote to memory of 4296	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	86
PID 2300 wrote to memory of 4296	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	86
PID 2300 wrote to memory of 1060	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	87
PID 2300 wrote to memory of 1060	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	87
PID 2300 wrote to memory of 1060	2300	6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe	87
PID 4636 wrote to memory of 3816	4636	RunDll32.exe	92
PID 4636 wrote to memory of 3816	4636	RunDll32.exe	92
PID 4636 wrote to memory of 3816	4636	RunDll32.exe	92
PID 4296 wrote to memory of 2212	4296	RunDll32.exe	94
PID 4296 wrote to memory of 2212	4296	RunDll32.exe	94
PID 4296 wrote to memory of 2212	4296	RunDll32.exe	94

C:\Users\Admin\AppData\Local\Temp\6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe
"C:\Users\Admin\AppData\Local\Temp\6ff537a3f07e544ee74de319a43d68536fce15809e4b45cc7848c1a1e7a7c558.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im lsas.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Modifies registry class
    PID:3816
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:2 WinX:0 WinY:0 IEFrame:00000000
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im lsas.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads