ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976

General

Target

ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe
Size

688KB
MD5

99f7aea316dece629041e7774d3728cc
SHA1

ed8ce50f94bf28e57c4ebb2fe28cb1c5d5fecc9e
SHA256

ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976
SHA512

ed5afa452b845029e723a863c59e34e789f364749fad1fc30733b1a4adf41f454d0a9fa6d42b9bf4b90834e86f140b1f61f03dfd8318f10d7c08cb9864ba81d9
SSDEEP

6144:GTHFHnDMIH9fJWPnSlRtz+RMpepNFMTHFHnDMIH9fJWPnSlRtz+RMpepNF:GRdBWPmSIeDFMRdBWPmSIeDF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

PO_16652.exe

pid process

876 PO_16652.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1936 netsh.exe

pid	process
876	PO_16652.exe

pid	process
1936	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe

pid	process
1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe
1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csrss.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO_16652.exe

description pid process

Token: SeDebugPrivilege 876 PO_16652.exe

description	pid	process
Token: SeDebugPrivilege	876	PO_16652.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exePO_16652.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 876	1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe	PO_16652.exe
PID 1852 wrote to memory of 876	1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe	PO_16652.exe
PID 1852 wrote to memory of 876	1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe	PO_16652.exe
PID 1852 wrote to memory of 876	1852	ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe	PO_16652.exe
PID 876 wrote to memory of 1936	876	PO_16652.exe	netsh.exe
PID 876 wrote to memory of 1936	876	PO_16652.exe	netsh.exe
PID 876 wrote to memory of 1936	876	PO_16652.exe	netsh.exe
PID 876 wrote to memory of 1936	876	PO_16652.exe	netsh.exe
PID 876 wrote to memory of 732	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 732	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 732	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 732	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1648	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1648	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1648	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1648	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 820	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 820	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 820	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 820	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1044	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1044	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1044	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1044	876	PO_16652.exe	cmd.exe
PID 732 wrote to memory of 1512	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1512	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1512	732	cmd.exe	reg.exe
PID 732 wrote to memory of 1512	732	cmd.exe	reg.exe
PID 876 wrote to memory of 1132	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1132	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1132	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 1132	876	PO_16652.exe	cmd.exe
PID 1648 wrote to memory of 544	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 544	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 544	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 544	1648	cmd.exe	reg.exe
PID 876 wrote to memory of 808	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 808	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 808	876	PO_16652.exe	cmd.exe
PID 876 wrote to memory of 808	876	PO_16652.exe	cmd.exe
PID 820 wrote to memory of 1336	820	cmd.exe	reg.exe
PID 820 wrote to memory of 1336	820	cmd.exe	reg.exe
PID 820 wrote to memory of 1336	820	cmd.exe	reg.exe
PID 820 wrote to memory of 1336	820	cmd.exe	reg.exe
PID 1132 wrote to memory of 1768	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1768	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1768	1132	cmd.exe	reg.exe
PID 1132 wrote to memory of 1768	1132	cmd.exe	reg.exe
PID 1044 wrote to memory of 1352	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 1352	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 1352	1044	cmd.exe	reg.exe
PID 1044 wrote to memory of 1352	1044	cmd.exe	reg.exe
PID 808 wrote to memory of 1888	808	cmd.exe	reg.exe
PID 808 wrote to memory of 1888	808	cmd.exe	reg.exe
PID 808 wrote to memory of 1888	808	cmd.exe	reg.exe
PID 808 wrote to memory of 1888	808	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe
"C:\Users\Admin\AppData\Local\Temp\ccb6ffd78c778b272dd45387bad11dff4507b204c062fceef98d17601e396976.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe
"C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe" "PO_16652.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
4⤵
- Modifies WinLogon for persistence
PID:1512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
4⤵
- Adds Run key to start application
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
4⤵
- Adds Run key to start application
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
4⤵
- Adds Run key to start application
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
4⤵
- Adds Run key to start application
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Microsoft Security Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\csrss.exe
4⤵
- Adds Run key to start application
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe

Filesize
188KB

MD5
5bac79bd35b79431d6082cb5fda280ed

SHA1
11cf970b8b24aa08fe4e343a355691bbaf9294b7

SHA256
e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0

SHA512
a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593

Download Submit
C:\Users\Admin\AppData\Roaming\mpack\PO_16652.exe

Filesize
188KB

MD5
5bac79bd35b79431d6082cb5fda280ed

SHA1
11cf970b8b24aa08fe4e343a355691bbaf9294b7

SHA256
e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0

SHA512
a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593

Download Submit
\Users\Admin\AppData\Roaming\mpack\PO_16652.exe

Filesize
188KB

MD5
5bac79bd35b79431d6082cb5fda280ed

SHA1
11cf970b8b24aa08fe4e343a355691bbaf9294b7

SHA256
e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0

SHA512
a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593

Download Submit
\Users\Admin\AppData\Roaming\mpack\PO_16652.exe

Filesize
188KB

MD5
5bac79bd35b79431d6082cb5fda280ed

SHA1
11cf970b8b24aa08fe4e343a355691bbaf9294b7

SHA256
e4195c1581d92a6fe8a0b7626c99387d274b028be563e3816b9544b3f73153f0

SHA512
a525da368d7987a1fd50fe1c4d0f83ad4e12601cfaf4b697086c1ff624b8ef03588a3dcb1bdfb1b7f9f29cb10b521d258793f892b6cd3dccc70b79906f3a0593

Download Submit
memory/544-72-0x0000000000000000-mapping.dmp

Download
memory/732-66-0x0000000000000000-mapping.dmp

Download
memory/808-73-0x0000000000000000-mapping.dmp

Download
memory/820-68-0x0000000000000000-mapping.dmp

Download
memory/876-58-0x0000000000000000-mapping.dmp

Download
memory/876-63-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/876-64-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-69-0x0000000000000000-mapping.dmp

Download
memory/1132-71-0x0000000000000000-mapping.dmp

Download
memory/1336-74-0x0000000000000000-mapping.dmp

Download
memory/1352-76-0x0000000000000000-mapping.dmp

Download
memory/1512-70-0x0000000000000000-mapping.dmp

Download
memory/1648-67-0x0000000000000000-mapping.dmp

Download
memory/1768-75-0x0000000000000000-mapping.dmp

Download
memory/1852-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1852-62-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-55-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/1888-77-0x0000000000000000-mapping.dmp

Download
memory/1936-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads