79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

General

Target

79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe
Size

172KB
MD5

60a7a8b1c78cb2ed4becd00a6456dbc8
SHA1

09bd14a2853b5f5a8babbdd552a4953c43c2f483
SHA256

79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56
SHA512

09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6
SSDEEP

3072:iJ0A2KvUXh9O5P908zsStvqeSwCKx83lUICxsqcAeSQ:i0A2auu10usSJbuKxAlicbS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1624 svchost.exe
1576 svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1772 cmd.exe

pid	process
1624	svchost.exe
1576	svchost.exe

pid	process
1772	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe

pid	process
1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe
1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Config	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Config\ = e6070b00030017000b0003001500c702	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exe

pid process

1576 svchost.exe
1576 svchost.exe
1576 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeBackupPrivilege 1576 svchost.exe
Token: SeRestorePrivilege 1576 svchost.exe

pid	process
1576	svchost.exe
1576	svchost.exe
1576	svchost.exe

description	pid	process
Token: SeBackupPrivilege	1576	svchost.exe
Token: SeRestorePrivilege	1576	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe

description	pid	process	target process
PID 1064 wrote to memory of 1624	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	svchost.exe
PID 1064 wrote to memory of 1624	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	svchost.exe
PID 1064 wrote to memory of 1624	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	svchost.exe
PID 1064 wrote to memory of 1624	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	svchost.exe
PID 1064 wrote to memory of 1772	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	cmd.exe
PID 1064 wrote to memory of 1772	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	cmd.exe
PID 1064 wrote to memory of 1772	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	cmd.exe
PID 1064 wrote to memory of 1772	1064	79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe
"C:\Users\Admin\AppData\Local\Temp\79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\temp\svchost.exe
"C:\Windows\temp\svchost.exe" -install
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "
2⤵
- Deletes itself
PID:1772

C:\Windows\temp\svchost.exe
C:\Windows\temp\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~0.bat

Filesize
258B

MD5
a9d9e7069fee2197452e6bfdd806e851

SHA1
0ce3a2040fce0a3f7dfc0f4ec5a6c66240063c12

SHA256
8e0e0f2c1b3df7f15def6cc9e9e0735e75fb9e5952e33a103c65f6e12d8ab151

SHA512
440a8f8e201080e759aa407577b8c36467aad5d7edb0d4bfe7a05a8bc7466c096113e47b32dfc660b3e8112889cf51e881ae31fe760b39b78459af4cad18a03d

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
172KB

MD5
60a7a8b1c78cb2ed4becd00a6456dbc8

SHA1
09bd14a2853b5f5a8babbdd552a4953c43c2f483

SHA256
79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

SHA512
09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
172KB

MD5
60a7a8b1c78cb2ed4becd00a6456dbc8

SHA1
09bd14a2853b5f5a8babbdd552a4953c43c2f483

SHA256
79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

SHA512
09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6

Download Submit
C:\Windows\temp\svchost.exe

Filesize
172KB

MD5
60a7a8b1c78cb2ed4becd00a6456dbc8

SHA1
09bd14a2853b5f5a8babbdd552a4953c43c2f483

SHA256
79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

SHA512
09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6

Download Submit
\Windows\Temp\svchost.exe

Filesize
172KB

MD5
60a7a8b1c78cb2ed4becd00a6456dbc8

SHA1
09bd14a2853b5f5a8babbdd552a4953c43c2f483

SHA256
79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

SHA512
09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6

Download Submit
\Windows\Temp\svchost.exe

Filesize
172KB

MD5
60a7a8b1c78cb2ed4becd00a6456dbc8

SHA1
09bd14a2853b5f5a8babbdd552a4953c43c2f483

SHA256
79a425882aacd28acb86b45017a57152049a4af1e3b30b7aff7e6f8eff0e8c56

SHA512
09b24a8ceb41f88f790e3e10398f40b86d4def12b951e9beac6022f14fdc6723222152225b72e2d0823a4c0f7961749aba5510253382b67969f0ccb50219dba6

Download Submit
memory/1064-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1624-57-0x0000000000000000-mapping.dmp

Download
memory/1772-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads