201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6

General

Target

201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
Size

206KB
MD5

397274aa8167c58ef72f28bc03351a43
SHA1

bea78819e92c222e5a7e92d36d40176714d46d06
SHA256

201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6
SHA512

203f549f1f617be8261ae8d4189bba3fef359b3e2e1f00a28bf61b33a1d2ccd6c5931e58167956212d6169b4156b2a9f6493cbfa653f7170fff86316d2e60221
SSDEEP

3072:5wxVMhOC/dTDbq91+mno3t4QZQ3raVsNT+s+YNRXA5ZqpyTfbP:5TfFDbRnOTraya5YNRwCyLbP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	jpeg.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	cmd.exe
1968	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\TimeServer = "C:\\Program Files (x86)\\TimeServer\\jpeg.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TimeServer	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\__tmp_rar_sfx_access_check_7090744	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\start.bat	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer\start.bat	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\jpeg.jpeg	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer\jpeg.jpeg	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\jpeg.exe	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer\jpeg.exe	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
732	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1300	reg.exe
1752	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
520	DllHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1968	1680	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	28
PID 1680 wrote to memory of 1968	1680	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	28
PID 1680 wrote to memory of 1968	1680	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	28
PID 1680 wrote to memory of 1968	1680	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	28
PID 1968 wrote to memory of 1300	1968	cmd.exe	31
PID 1968 wrote to memory of 1300	1968	cmd.exe	31
PID 1968 wrote to memory of 1300	1968	cmd.exe	31
PID 1968 wrote to memory of 1300	1968	cmd.exe	31
PID 1968 wrote to memory of 1752	1968	cmd.exe	32
PID 1968 wrote to memory of 1752	1968	cmd.exe	32
PID 1968 wrote to memory of 1752	1968	cmd.exe	32
PID 1968 wrote to memory of 1752	1968	cmd.exe	32
PID 1968 wrote to memory of 732	1968	cmd.exe	33
PID 1968 wrote to memory of 732	1968	cmd.exe	33
PID 1968 wrote to memory of 732	1968	cmd.exe	33
PID 1968 wrote to memory of 732	1968	cmd.exe	33
PID 1968 wrote to memory of 1736	1968	cmd.exe	34
PID 1968 wrote to memory of 1736	1968	cmd.exe	34
PID 1968 wrote to memory of 1736	1968	cmd.exe	34
PID 1968 wrote to memory of 1736	1968	cmd.exe	34
PID 1968 wrote to memory of 1236	1968	cmd.exe	36
PID 1968 wrote to memory of 1236	1968	cmd.exe	36
PID 1968 wrote to memory of 1236	1968	cmd.exe	36
PID 1968 wrote to memory of 1236	1968	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
"C:\Users\Admin\AppData\Local\Temp\201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files (x86)\TimeServer\start.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v TimeServer /t REG_DWORD /d 0x313B7CC1 /f
    3⤵
    - Modifies registry key
    PID:1300
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TimeServer /t REG_SZ /d "C:\Program Files (x86)\TimeServer\jpeg.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1752
- - C:\Windows\SysWOW64\tasklist.exe
    TaskList /FI "ImageName EQ jpeg.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- - C:\Windows\SysWOW64\find.exe
    Find /I "jpeg.exe"
    3⤵
    PID:1736
- - C:\Program Files (x86)\TimeServer\jpeg.exe
    jpeg.exe
    3⤵
    - Executes dropped EXE
    PID:1236

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
C:\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
C:\Program Files (x86)\TimeServer\start.bat

Filesize
650B

MD5
6271e788faeabe8a54abc798b4d4c19c

SHA1
4950fc7d5baac79ddebb1bbaf41225cd292f6fe9

SHA256
cf59a44c219a1c167ab50295d557fcef65e797686b7538e110b4e919e13487c3

SHA512
dec3b6270e5e2a8b640ef24aa2d503e30ce7db656f0b860f901d92450b200f51166081644fc509fe4fd839d416398b3e4abb75706bc9d7fa0a42a1656e59322b

Download Submit
\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
memory/1680-54-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads