0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443

General

Target

0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
Size

347KB
MD5

0321699c07a25a5d9f00448d6f80918a
SHA1

cf1dc5ae0d67a3c79a76f9e92f984afc28f319f9
SHA256

0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443
SHA512

1888df1669326a6a6e6ff657b0074b5086c50555e186fa8530a3228ac289ec95842385527d7edfd62b6be5acd99c0fb934be785d0baa93ca07e9f1d2fa412c33
SSDEEP

6144:sfRMjS+oEl9v+2tlyuRMVGtr5HM/k3x/S7OgQDa4ch7mBaajaLzaMWywS+:zjS+jvxyuRGMpMqS7OXazmkoRM7w/

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1700	svchostc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-54-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1968-55-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1968-60-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\svchostc.exe	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchostc.exe	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs080605.scr	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File created	C:\Windows\SysWOW64\inf\scsys16_080605.dll	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\twftadfia16_080605.dll	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File opened for modification	C:\Windows\twisys.ini	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File created	C:\Windows\system\sgcxcxxaspf080605.exe	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
File created	C:\Windows\tdcbdcasys32_080605.dll	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
Token: SeDebugPrivilege	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1700	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe	28
PID 1968 wrote to memory of 1700	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe	28
PID 1968 wrote to memory of 1700	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe	28
PID 1968 wrote to memory of 1700	1968	0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe	28

C:\Users\Admin\AppData\Local\Temp\0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe
"C:\Users\Admin\AppData\Local\Temp\0c1f8b176f947b2444280d0d27d23457045848f7df7227da72901faa746c1443.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\inf\svchostc.exe
  "C:\Windows\system32\inf\svchostc.exe" C:\Windows\twftadfia16_080605.dll tanlt88
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\twftadfia16_080605.dll

Filesize
31KB

MD5
0595d5bfaa178549be85ddd672b0f69b

SHA1
e1b9fd60e645109ac3447f11684f706020f825e6

SHA256
f1907b27f6e41738b9cbe3d6283e45d81af0d0cd97d815aabbd869bc164c63e3

SHA512
5d83d129d99d431ba20052928ad8ac88c1c6c78cccb60f9d0a763935d9d4d356daee7370cb5924c1afe9364d4a674c5f39450c7757e34c9087551fc3af61e761

Download Submit
\Windows\SysWOW64\inf\svchostc.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1968-54-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1968-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1968-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1968-60-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing