137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0

General

Target

137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
Size

122KB
MD5

0433c60a249730829b9df7c66585280a
SHA1

a578a54514a0faf9f00435d153ec74ccb803f0c4
SHA256

137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0
SHA512

cbdd16addb2c72082b7fdb713225203d6ed6640e9ff827f4f40147ea17830d436a535564536a0a2118b0f9c8d92b0a87e11976d93d9bc42f079456698d230be5
SSDEEP

3072:sufO+VTTywpp4PcShif3MKyeI7+uhmqWMGrsN4s/u:9NTywr4vif3MwY+uhfN5G

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\26953 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msuayfa.bat"	svchost.exe

Deletes itself 1 IoCs

pid	Process
584	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msuayfa.bat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	DllHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 1672 wrote to memory of 268	1672	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	27
PID 268 wrote to memory of 584	268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	28
PID 268 wrote to memory of 584	268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	28
PID 268 wrote to memory of 584	268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	28
PID 268 wrote to memory of 584	268	137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe	28

C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
"C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
  C:\Users\Admin\AppData\Local\Temp\137d99c10c38f42b4db7b6c94376600844bcc2a878d94a31f98982c44b3baee0.exe
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Deletes itself
    - Drops file in Program Files directory
    PID:584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Confirmation - Votre IPad-le-dernier-produit-Apple.jpg

Filesize
32KB

MD5
c48967ee653ab1279276a35d4bcfa8a0

SHA1
44e7b00112425ad9a44228012d5723430acff9d2

SHA256
32b8d4a3c5a1a4a08a80821198f54bb2b0d956b1229b0ad8727cd60b6108b80a

SHA512
18e268c4e2b36c06e82a9e9061e0df14526d23722def7b6d0dbe19e647ed3320400f5176e886a16fd18018e669bf82321ea03d9e22a83726db649c990f25cda1

Download Submit
memory/268-66-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/268-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/268-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/268-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/584-70-0x0000000000030000-0x0000000000035000-memory.dmp

Filesize
20KB

Download
memory/584-69-0x0000000000030000-0x0000000000035000-memory.dmp

Filesize
20KB

Download
memory/584-68-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1672-63-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-56-0x0000000002065000-0x0000000002076000-memory.dmp

Filesize
68KB

Download
memory/1672-64-0x0000000002065000-0x0000000002076000-memory.dmp

Filesize
68KB

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing