90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13

General

Target

90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe
Size

85KB
MD5

f2d06659cb00a8aa51151269052f7062
SHA1

7eba5519e2023762b49f03c9b862a2f99675029a
SHA256

90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13
SHA512

42da41fcbfb63e7f084b08b3c277ce429fe932730763e231a732096914da7f60306dc1b2d74a45aaabede77c3211de950a2064251ee2fd24e3aa5338cdac7799
SSDEEP

1536:x4UHxpN/MUXsLTvCj0DBXJaOm/IykWj4EmzNhJAKww0tk2d2JUxZq:x4URpNUUX6z/DBXJfmwykWfS5wXtf2yy

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\60379 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mscyfpua.cmd"	svchost.exe

Deletes itself 1 IoCs

pid	Process
688	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mscyfpua.cmd	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe
1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1772 wrote to memory of 1716	1772	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	28
PID 1716 wrote to memory of 688	1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	29
PID 1716 wrote to memory of 688	1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	29
PID 1716 wrote to memory of 688	1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	29
PID 1716 wrote to memory of 688	1716	90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe	29

C:\Users\Admin\AppData\Local\Temp\90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe
"C:\Users\Admin\AppData\Local\Temp\90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe
  "C:\Users\Admin\AppData\Local\Temp\90fdc654c66fefb7943e311406bd8fc3fda93894afb4166cf3514d832cdd9f13.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Deletes itself
    - Drops file in Program Files directory
    PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nseC709.tmp\conferment.dll

Filesize
58KB

MD5
6f36d3b6f90eda16d5f2bc2c55d14b87

SHA1
c60cf4b58256c2a2526e6acd2994f225928dc7da

SHA256
bdcea21d95ff30fb5a1067e0466086b5b6fc930e24e52790d62ab59aeab9159a

SHA512
414ba19935cd00233001aeb7797c5f592a77ee9c9ca5e84652bf304af88d9adf8d22707a7a2a1f899ff2c83d75945cf7e4a584cbeece588a1e2748de62a630ae

Download Submit
memory/688-62-0x0000000000000000-mapping.dmp

Download
memory/688-63-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/688-64-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/688-65-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1716-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1716-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1716-61-0x000000000040141C-mapping.dmp

Download
memory/1716-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1772-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x0000000001F10000-0x0000000001F27000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing