da943991512f6011b07e4779818ae4ab8506a6a736f3171e73564795e52618b5

General

Target

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe
Size

246KB
MD5

00b5d45433391146ce98cd70a91bef08
SHA1

7649c554e87f6ea21ba86bb26ea39521d5d18151
SHA256

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f
SHA512

47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1
SSDEEP

6144:ExQk9lATVXXbWV6aozMB/QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ+:99r4+M8mRyAxqRwu0SExjA6JvsheijLx

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MSPavilion.exe

pid process

4756 MSPavilion.exe

pid	process
4756	MSPavilion.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSPavilion = "C:\\Users\\Admin\\AppData\\Roaming\\Pavilion\\MSPavilion.exe"	reg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

MSPavilion.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	MSPavilion.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	MSPavilion.exe

Drops file in Windows directory 3 IoCs

Processes:

MSPavilion.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	MSPavilion.exe
File opened for modification	C:\Windows\assembly	MSPavilion.exe
File created	C:\Windows\assembly\Desktop.ini	MSPavilion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exeMSPavilion.execsc.exe

description	pid	process	target process
PID 1084 wrote to memory of 3356	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1084 wrote to memory of 3356	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1084 wrote to memory of 3356	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	reg.exe
PID 1084 wrote to memory of 4756	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1084 wrote to memory of 4756	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 1084 wrote to memory of 4756	1084	2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe	MSPavilion.exe
PID 4756 wrote to memory of 2768	4756	MSPavilion.exe	csc.exe
PID 4756 wrote to memory of 2768	4756	MSPavilion.exe	csc.exe
PID 4756 wrote to memory of 2768	4756	MSPavilion.exe	csc.exe
PID 2768 wrote to memory of 2652	2768	csc.exe	cvtres.exe
PID 2768 wrote to memory of 2652	2768	csc.exe	cvtres.exe
PID 2768 wrote to memory of 2652	2768	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe
"C:\Users\Admin\AppData\Local\Temp\2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\reg.exe
"reg.exe" import C:\Users\Admin\AppData\Local\Temp\tmp885F.reg
2⤵
- Adds Run key to start application
PID:3356

C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe
"C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9irmjz6e.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA3B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCA3A.tmp"
4⤵
PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9irmjz6e.dll

Filesize
244KB

MD5
27ae3f43e15a69843b2763da83e17cb4

SHA1
5456087e56a68c1b5df5352a796b8d9b46bf2412

SHA256
19ff50b4121518054e2bdc2f43b4d67f59aa880762f9ddfd4830ae95c2c73b66

SHA512
b9390cdc376c880f51f1f673451206f6fea6082fa9c105ac6a448fefcc552bb41fe3775f1b4ffb627f6f14cb15fed4632a0b4ec26c2b4e01626ff49d99b53373

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA3B.tmp

Filesize
1KB

MD5
2114d3dbd5e2833ea455059400787280

SHA1
bc92616326454c9cf5236ed8dc26e5866d44d68c

SHA256
bf048da63d590442a1719a732c8f1e480591dec9d38dc37ec1b8be5b01ac6d83

SHA512
67b370e7834a51a3f3d364d10ef05d6480c654f7dc16f64aee68b230147ca7f0754cf24ce3bae5348497ae1cc66fb9fdab5b3ad7cbe6e432a77b2379dd28c46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp885F.reg

Filesize
182B

MD5
747d7f6e57d777bca0ffc1ee939c2b6f

SHA1
40d26cf07a3c3be8403f0dbadb46bf072d009b04

SHA256
6bf0fda6b6693e83198f4e32b1f976b8147921abf359d7c7eeb773448365048b

SHA512
f450df659169058e35f31910d4aab7cdd88a47384cf9ef6b7f2b3ded6cf45aecbf561ba5410d433f31922c0690d60b850084c96030cd1515d58f38c506fd9ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe

Filesize
246KB

MD5
00b5d45433391146ce98cd70a91bef08

SHA1
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

SHA512
47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1

Download Submit
C:\Users\Admin\AppData\Roaming\Pavilion\MSPavilion.exe

Filesize
246KB

MD5
00b5d45433391146ce98cd70a91bef08

SHA1
7649c554e87f6ea21ba86bb26ea39521d5d18151

SHA256
2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f

SHA512
47019e58c729e2090eb842ebc60f610a3a797e4275baf37f7b2b35ca2c61322658f2537cc28d0c524701881984382b14b0c8a337e414cffad7099efaed9b76f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9irmjz6e.0.cs

Filesize
633KB

MD5
3eb8f5507314f5c9fd5a30b525eda96e

SHA1
10c45a73c5dbb8891058981072f94416fcbb19ff

SHA256
1020932902fbdfba1121650fbf2f0e015e3bb3a8cbf4181c2d0f09dd0f15a465

SHA512
7ad355b8bed45be882b034dc366c2753730f886d8731ac0d2c2a0e8894e0a53df985f0e0955027d2ceb5d0dc927f9adedbefacfa954889099ceb291ac091e518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9irmjz6e.cmdline

Filesize
589B

MD5
b229ccca0efe76b2f7dfaa5229a3ac2e

SHA1
bc43021ab33ba11f117c83a31acab9451a9aee21

SHA256
0b4d07f73189acb7975fd47255cf2a8f3bb72f7d12e39a0aaf28d08ddf42e2d6

SHA512
a2780e14a3a0628ab1701fa33c07602dc4d2a3f0d5f160bb9162e1ba1f6ab6f303491a645576807ed4bf92972718cbf0b6f4bbd0e7370830e1c88013a04577f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCA3A.tmp

Filesize
652B

MD5
58b08c7049c47927197b141817baa715

SHA1
a01987280c67126dab4af8cb2845ecbf83222286

SHA256
986537f7802f2dd6d8bae64072c2b70103e105bbb075c622e9b945604410db59

SHA512
b4678251f8adf6cd049fbeda29b99349870bb94b8c503324cf93e5f8d2962c986f346168c7ba00aead439b7ae5841bf5365da95675c08744ec38341512745524

Download Submit
memory/1084-138-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/1084-132-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/2652-144-0x0000000000000000-mapping.dmp

Download
memory/2768-141-0x0000000000000000-mapping.dmp

Download
memory/3356-133-0x0000000000000000-mapping.dmp

Download
memory/4756-140-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-139-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4756-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads