2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

General

Target

2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Size

333KB
MD5

06b7dcdff00ed18e156ba6cf4e9a02f7
SHA1

541032ba6ab7c383b804161a1f881b447105677f
SHA256

2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b
SHA512

6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87
SSDEEP

3072:9msKGgOkGqHmT76JidYL49Nw/fnQRi6RwhGpVAv6IQ9BiQc9A:9JqHmTieNwnKh5NZ9bH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe:*:Enabled:Microsoft3264OSUpdate"	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Executes dropped EXE 2 IoCs

pid	Process
1304	msnrsmsn.exe
3544	msnrsmsn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft3264OSUpdate = "C:\\Users\\Public\\E-73473-3674-74335\\msnrsmsn.exe"	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 1304 set thread context of 3544	1304	msnrsmsn.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 916 wrote to memory of 2500	916	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	80
PID 2500 wrote to memory of 1304	2500	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	81
PID 2500 wrote to memory of 1304	2500	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	81
PID 2500 wrote to memory of 1304	2500	2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe	81
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82
PID 1304 wrote to memory of 3544	1304	msnrsmsn.exe	82

C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
"C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe
  "C:\Users\Admin\AppData\Local\Temp\2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe
    "C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe
      "C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe"
      4⤵
      Executes dropped EXE
      PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
C:\Users\Public\E-73473-3674-74335\msnrsmsn.exe

Filesize
333KB

MD5
06b7dcdff00ed18e156ba6cf4e9a02f7

SHA1
541032ba6ab7c383b804161a1f881b447105677f

SHA256
2a286adf6e4b47a84b0de5cec8ee9ea82e3e7f8e59a4d9098d13d93694c6b08b

SHA512
6313af898c316cb7199b62e276175c4c1600be2b52ef9264476982864b6e37a9510e5c1a915ae91c72f34c24f63f761b8a4591b03b01b07343935bd59bde8d87

Download Submit
memory/916-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/916-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1304-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1304-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2500-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2500-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2500-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3544-149-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads