2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

General

Target

2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Size

333KB
MD5

06b7dcdff00ed18e156ba6cf4e9a02f7
SHA1

541032ba6ab7c383b804161a1f881b447105677f
SHA256

2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
SHA512

6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87
SSDEEP

3072:9msKGgOkGqHmT76JidYL49Nw/fnQRi6RwhGpVAv6IQ9BiQc9A:9JqHmTieNwnKh5NZ9bH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe:*:Enabled:Microsoft3264OSUpdate"	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	msnrsmsn.exe
1012	msnrsmsn.exe

Loads dropped DLL 2 IoCs

pid	Process
904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft3264OSUpdate = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe"	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1712 set thread context of 1012	1712	msnrsmsn.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 1632 wrote to memory of 904	1632	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	27
PID 904 wrote to memory of 1712	904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	28
PID 904 wrote to memory of 1712	904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	28
PID 904 wrote to memory of 1712	904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	28
PID 904 wrote to memory of 1712	904	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	28
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29
PID 1712 wrote to memory of 1012	1712	msnrsmsn.exe	29

C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
"C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
  "C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe
    "C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe
      "C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"
      4⤵
      Executes dropped EXE
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
memory/904-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-65-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/904-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/904-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1012-87-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1012-88-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1632-54-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1632-64-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1712-72-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1712-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads