4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270

General

Target

4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
Size

2.9MB
MD5

84720ec2085b082882d89232d206cdfb
SHA1

396adfc704f6a197a5444750e2e606794bed8bbd
SHA256

4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270
SHA512

f90960529fc8a5f20c43a6b5eda58c4742dd69d5178016e5987708aaa00e75d92f02b47cadfc3af6cabb77c47b5bb7c28efbf261e8dcbb51aee3e400cc2fa001
SSDEEP

49152:YacCMSCtKvibmTIxNiZOZj7cTHF1u9R/ULhiVZjdpkfD/MlS1s6vjz0NHU23gndA:CPtMiq9GjI74ihi7wD/yUvkFUewdcmS5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
860	_92A0.tmpac7d.exe
4104	AntiVirus AntiSpyware.exe
3860	securitymanager.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus_AntiSpyware_2011 = "\"C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus_AntiSpyware_2011\\AntiVirus AntiSpyware.exe\" /STARTUP"	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus AntiSpyware 2011 Security = "C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus_AntiSpyware_2011\\securitymanager.exe"	securitymanager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.log	securitymanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
Token: SeDebugPrivilege	4104	AntiVirus AntiSpyware.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3860	securitymanager.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3860	securitymanager.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
4104	AntiVirus AntiSpyware.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	81
PID 1168 wrote to memory of 860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	81
PID 1168 wrote to memory of 860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	81
PID 1168 wrote to memory of 4104	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	92
PID 1168 wrote to memory of 4104	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	92
PID 1168 wrote to memory of 4104	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	92
PID 1168 wrote to memory of 3860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	93
PID 1168 wrote to memory of 3860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	93
PID 1168 wrote to memory of 3860	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	93
PID 1168 wrote to memory of 4796	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	94
PID 1168 wrote to memory of 4796	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	94
PID 1168 wrote to memory of 4796	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	94
PID 1168 wrote to memory of 3224	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	96
PID 1168 wrote to memory of 3224	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	96
PID 1168 wrote to memory of 3224	1168	4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe	96

C:\Users\Admin\AppData\Local\Temp\4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe
"C:\Users\Admin\AppData\Local\Temp\4ecef1eb91f4f895dfbaf4fef8aad2fc77dd71464b5341cf0a882b9c7d376270.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\_92A0.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_92A0.tmpac7d.exe" -p"09:07 AM" -y -o"C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4104
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4104 -ip 4104
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4104 -ip 4104
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_92A0.tmpac7d.exe

Filesize
2.2MB

MD5
b5081f44bd75b84d2acbe07dd2f22330

SHA1
79559dcc2b39503094472cb32a22a09c3d01966d

SHA256
ffa1ae5e8aed5b905b40ff23fdc19847bcad7cd7d12ab952ad3eed90d6aa28f1

SHA512
8fe37e720364378cc4d5659aba6376de84a2d7d8c5817c654e82eeef50f69fe8f8ea01f4f3e9cde415b37bafdb1e45ec5150fd9d4efc55201e61395e4cc56dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_92A0.tmpac7d.exe

Filesize
2.2MB

MD5
b5081f44bd75b84d2acbe07dd2f22330

SHA1
79559dcc2b39503094472cb32a22a09c3d01966d

SHA256
ffa1ae5e8aed5b905b40ff23fdc19847bcad7cd7d12ab952ad3eed90d6aa28f1

SHA512
8fe37e720364378cc4d5659aba6376de84a2d7d8c5817c654e82eeef50f69fe8f8ea01f4f3e9cde415b37bafdb1e45ec5150fd9d4efc55201e61395e4cc56dc6

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
2.7MB

MD5
2746f08cf2ade17f0cc86ab06ff31ccf

SHA1
0903372a10029bb7fc61bc5779fe9f1526de36aa

SHA256
dac92a5fba39da85c0a85d9fd59405372bb6d9c9468e01f6a434bc6a414f2266

SHA512
b648804e0a2b0f2bea8a5f3e81aad05840ff03c6a61e78b4d4250eb45e4132b92f695894107a67c4d1227e5a2effbcdc78203fe986c12397ba8ad972f6574211

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe

Filesize
2.7MB

MD5
2746f08cf2ade17f0cc86ab06ff31ccf

SHA1
0903372a10029bb7fc61bc5779fe9f1526de36aa

SHA256
dac92a5fba39da85c0a85d9fd59405372bb6d9c9468e01f6a434bc6a414f2266

SHA512
b648804e0a2b0f2bea8a5f3e81aad05840ff03c6a61e78b4d4250eb45e4132b92f695894107a67c4d1227e5a2effbcdc78203fe986c12397ba8ad972f6574211

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe

Filesize
102KB

MD5
e77c82553e361d71561890eb1e323d92

SHA1
eab8c2f1af2449a293a4785997ff9428114d7475

SHA256
6218dd03ae5356194a248d6db730640848057dde968b938079fa3e8d4b7a2422

SHA512
7f374d4bd009c29f48522417717aa31d50aef3c3fe7469a5962ef93a1a5f2ea7841e98923f804b00f9a6e683f58559a53c6cc9376ba138e8ee4951fc5e4ccc01

Download Submit
C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe

Filesize
102KB

MD5
e77c82553e361d71561890eb1e323d92

SHA1
eab8c2f1af2449a293a4785997ff9428114d7475

SHA256
6218dd03ae5356194a248d6db730640848057dde968b938079fa3e8d4b7a2422

SHA512
7f374d4bd009c29f48522417717aa31d50aef3c3fe7469a5962ef93a1a5f2ea7841e98923f804b00f9a6e683f58559a53c6cc9376ba138e8ee4951fc5e4ccc01

Download Submit
memory/1168-135-0x0000000003227000-0x0000000003229000-memory.dmp

Filesize
8KB

Download
memory/1168-139-0x0000000000400000-0x0000000000E1F000-memory.dmp

Filesize
10.1MB

Download
memory/1168-141-0x0000000000400000-0x0000000000E1F000-memory.dmp

Filesize
10.1MB

Download
memory/1168-142-0x0000000003220000-0x0000000003C3F000-memory.dmp

Filesize
10.1MB

Download
memory/1168-134-0x0000000003220000-0x0000000003C3F000-memory.dmp

Filesize
10.1MB

Download
memory/1168-132-0x0000000003220000-0x0000000003C3F000-memory.dmp

Filesize
10.1MB

Download
memory/1168-133-0x0000000000400000-0x0000000000E1F000-memory.dmp

Filesize
10.1MB

Download
memory/3860-150-0x0000000000190000-0x00000000001BD000-memory.dmp

Filesize
180KB

Download
memory/3860-153-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3860-154-0x0000000000190000-0x00000000001BD000-memory.dmp

Filesize
180KB

Download
memory/3860-158-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4104-148-0x0000000004070000-0x0000000005AB2000-memory.dmp

Filesize
26.3MB

Download
memory/4104-151-0x0000000000400000-0x0000000001E42000-memory.dmp

Filesize
26.3MB

Download
memory/4104-152-0x0000000004070000-0x0000000005AB2000-memory.dmp

Filesize
26.3MB

Download
memory/4104-156-0x0000000000400000-0x0000000001E42000-memory.dmp

Filesize
26.3MB

Download
memory/4104-157-0x0000000004070000-0x0000000005AB2000-memory.dmp

Filesize
26.3MB

Download

Analysis

Sharing