1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

General

Target

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
Size

797KB
MD5

a797ebe7413dda691136baa61cec61f9
SHA1

9092df3087817d296857c188fe0e417df2c33789
SHA256

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2
SHA512

c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b
SSDEEP

12288:YhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aJ1d7JAMRFwCTc5zNEc5V3:ARmJkcoQricOIQxiZY1iabjsCTizNEqd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\M-38593585020495849\winmgr.exe = "C:\\Users\\Admin\\M-38593585020495849\\winmgr.exe:*:Enabled:Microsoft Windows Manager"	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

Executes dropped EXE 2 IoCs

Processes:

winmgr.exewinmgr.exe

pid process

1540 winmgr.exe
1448 winmgr.exe
Loads dropped DLL 1 IoCs

Processes:

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

pid process

1964 1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

pid	process
1540	winmgr.exe
1448	winmgr.exe

pid	process
1964	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Users\\Admin\\M-38593585020495849\\winmgr.exe"	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\M-38593585020495849\winmgr.exe	autoit_exe
C:\Users\Admin\M-38593585020495849\winmgr.exe	autoit_exe
C:\Users\Admin\M-38593585020495849\winmgr.exe	autoit_exe
C:\Users\Admin\M-38593585020495849\winmgr.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exewinmgr.exe

description	pid	process	target process
PID 2024 set thread context of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 1540 set thread context of 1448	1540	winmgr.exe	winmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exewinmgr.exe

description	pid	process	target process
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 2024 wrote to memory of 1964	2024	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
PID 1964 wrote to memory of 1540	1964	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	winmgr.exe
PID 1964 wrote to memory of 1540	1964	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	winmgr.exe
PID 1964 wrote to memory of 1540	1964	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	winmgr.exe
PID 1964 wrote to memory of 1540	1964	1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe
PID 1540 wrote to memory of 1448	1540	winmgr.exe	winmgr.exe

C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
"C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe
"C:\Users\Admin\AppData\Local\Temp\1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\M-38593585020495849\winmgr.exe
"C:\Users\Admin\M-38593585020495849\winmgr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\M-38593585020495849\winmgr.exe
"C:\Users\Admin\M-38593585020495849\winmgr.exe"
4⤵
- Executes dropped EXE
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\m816972.rcf

Filesize
33KB

MD5
057abc70a878561a73b4166ae87748db

SHA1
dd21870cfc5cfe147bea8539d10d49ff5d34f929

SHA256
74fc5d9388ce1121f6ccd62f872662fb2a70ae5997fa92db18eaad36997a81b3

SHA512
e269cfbb48479c840a6dd3d707435755ac3e836cb5b6442c2ec761c6ea1cc5663cc85590784e721c6bfe0208356a974aabbbeb014585f34b98e9411b6f9da2be

Download Submit
C:\Users\Admin\M-38593585020495849\winmgr.exe

Filesize
797KB

MD5
a797ebe7413dda691136baa61cec61f9

SHA1
9092df3087817d296857c188fe0e417df2c33789

SHA256
1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

SHA512
c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

Download Submit
C:\Users\Admin\M-38593585020495849\winmgr.exe

Filesize
797KB

MD5
a797ebe7413dda691136baa61cec61f9

SHA1
9092df3087817d296857c188fe0e417df2c33789

SHA256
1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

SHA512
c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

Download Submit
C:\Users\Admin\M-38593585020495849\winmgr.exe

Filesize
797KB

MD5
a797ebe7413dda691136baa61cec61f9

SHA1
9092df3087817d296857c188fe0e417df2c33789

SHA256
1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

SHA512
c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

Download Submit
\Users\Admin\M-38593585020495849\winmgr.exe

Filesize
797KB

MD5
a797ebe7413dda691136baa61cec61f9

SHA1
9092df3087817d296857c188fe0e417df2c33789

SHA256
1ac984578bbbad9d358219190931933f2180a8654733cb632abe9e0b9f9810e2

SHA512
c9d948df6dfcad662ec0fee16b32d98d0d240985713d487256b89f3910f294387e21e8aacb40181bd9548d88ab35b1048a7d2a1cd70952c21812885bbcf6928b

Download Submit
memory/1448-72-0x00000000000C63B6-mapping.dmp

Download
memory/1540-64-0x0000000000000000-mapping.dmp

Download
memory/1964-62-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1964-61-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1964-57-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/1964-58-0x00000000000C63B6-mapping.dmp

Download
memory/1964-55-0x00000000000C0000-0x00000000000CD000-memory.dmp

Filesize
52KB

Download
memory/2024-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads