483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6

General

Target

483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe
Size

45KB
MD5

834dd73b37cf6ad1f852c4df68f55f19
SHA1

b1edf104fa0df296fc25224bf88610ece6deb245
SHA256

483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6
SHA512

4e6a09089700ee2d7071a0a674241a1b96438f0a544696a77364c0dfcdac9f707e2a674f1c7755954eca15a03dd87fe77ed7543877b456630553b9f208a32215
SSDEEP

768:NUmTIj8ycl8s598HIAQvI9Dq3U6+frYxKwkWyMRy7FFesX8gmU7AwXEPz7vNGOST:RSS/G9UPz7pS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
272	Microsoft Support.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1328	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdc10baf8d526aadd954bf3f60e0e69e.exe	Microsoft Support.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdc10baf8d526aadd954bf3f60e0e69e.exe	Microsoft Support.exe

Loads dropped DLL 1 IoCs

pid	Process
1280	483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cdc10baf8d526aadd954bf3f60e0e69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Support.exe\" .."	Microsoft Support.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\cdc10baf8d526aadd954bf3f60e0e69e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Support.exe\" .."	Microsoft Support.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
272	Microsoft Support.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	272	Microsoft Support.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 272	1280	483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe	28
PID 1280 wrote to memory of 272	1280	483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe	28
PID 1280 wrote to memory of 272	1280	483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe	28
PID 1280 wrote to memory of 272	1280	483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe	28
PID 272 wrote to memory of 1328	272	Microsoft Support.exe	29
PID 272 wrote to memory of 1328	272	Microsoft Support.exe	29
PID 272 wrote to memory of 1328	272	Microsoft Support.exe	29
PID 272 wrote to memory of 1328	272	Microsoft Support.exe	29

C:\Users\Admin\AppData\Local\Temp\483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe
"C:\Users\Admin\AppData\Local\Temp\483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\Microsoft Support.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Support.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft Support.exe" "Microsoft Support.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Support.exe

Filesize
45KB

MD5
834dd73b37cf6ad1f852c4df68f55f19

SHA1
b1edf104fa0df296fc25224bf88610ece6deb245

SHA256
483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6

SHA512
4e6a09089700ee2d7071a0a674241a1b96438f0a544696a77364c0dfcdac9f707e2a674f1c7755954eca15a03dd87fe77ed7543877b456630553b9f208a32215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Support.exe

Filesize
45KB

MD5
834dd73b37cf6ad1f852c4df68f55f19

SHA1
b1edf104fa0df296fc25224bf88610ece6deb245

SHA256
483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6

SHA512
4e6a09089700ee2d7071a0a674241a1b96438f0a544696a77364c0dfcdac9f707e2a674f1c7755954eca15a03dd87fe77ed7543877b456630553b9f208a32215

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Support.exe

Filesize
45KB

MD5
834dd73b37cf6ad1f852c4df68f55f19

SHA1
b1edf104fa0df296fc25224bf88610ece6deb245

SHA256
483b8f2acfb6031a755b36f15612afb3b7c2810710086ca37ba7a1f7ae1f13b6

SHA512
4e6a09089700ee2d7071a0a674241a1b96438f0a544696a77364c0dfcdac9f707e2a674f1c7755954eca15a03dd87fe77ed7543877b456630553b9f208a32215

Download Submit
memory/272-64-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/272-65-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-61-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing