1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

General

Target

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
Size

172KB
MD5

d8b3807c730d493ba974c13c83621dd8
SHA1

8f4f7519e1c86bd3b123130f60100d7da7a2e53d
SHA256

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b
SHA512

9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e
SSDEEP

3072:mJ0A2KvUXh9O5P908zsStvqeSwCKx83lUICxsqcAeSa:O0A2auu10usSJbuKxAlicbS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1516 svchost.exe
1684 svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1824 cmd.exe

pid	process
1516	svchost.exe
1684	svchost.exe

pid	process
1824	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

pid	process
1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Config	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Config\ = e6070b00030017000a0001003200f401	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exe

pid process

1684 svchost.exe
1684 svchost.exe
1684 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeBackupPrivilege 1684 svchost.exe
Token: SeRestorePrivilege 1684 svchost.exe

pid	process
1684	svchost.exe
1684	svchost.exe
1684	svchost.exe

description	pid	process
Token: SeBackupPrivilege	1684	svchost.exe
Token: SeRestorePrivilege	1684	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe

description	pid	process	target process
PID 1456 wrote to memory of 1516	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 1456 wrote to memory of 1516	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 1456 wrote to memory of 1516	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 1456 wrote to memory of 1516	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	svchost.exe
PID 1456 wrote to memory of 1824	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe
PID 1456 wrote to memory of 1824	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe
PID 1456 wrote to memory of 1824	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe
PID 1456 wrote to memory of 1824	1456	1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe
"C:\Users\Admin\AppData\Local\Temp\1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\temp\svchost.exe
"C:\Windows\temp\svchost.exe" -install
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\~0.bat" "
2⤵
- Deletes itself
PID:1824

C:\Windows\temp\svchost.exe
C:\Windows\temp\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~0.bat

Filesize
258B

MD5
3ec406bfaf2fc1383813314972975c84

SHA1
eb38d2a107129c86a910492f5b66fb9002dd9576

SHA256
9fafc27e02c57454749b7a5ecfa45024c5813760b21ca571855f0ebb623e032d

SHA512
de3e524d92abc4354735f35c88c7f7c972dd4d85d9dab93df91dd6f1c56c0046f27956512a3f66a1b3b1ca82bd127ea7c0c596aec95b1bb3b81037728ac92173

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
C:\Windows\Temp\svchost.exe

Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
C:\Windows\temp\svchost.exe

Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
\Windows\Temp\svchost.exe

Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
\Windows\Temp\svchost.exe

Filesize
172KB

MD5
d8b3807c730d493ba974c13c83621dd8

SHA1
8f4f7519e1c86bd3b123130f60100d7da7a2e53d

SHA256
1276dea9bbfc6f5149fc9852dcd6b6de36e1c5d111115550be8b2cf8d670134b

SHA512
9814ab497620ab816f7766d428bf6671d20ef40d9f543933bc8ed0b545ce6cea3ce30d40e512853d3e7df62cc152bf30547d99f58f99f53823ff0af1c76f2f2e

Download Submit
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1516-57-0x0000000000000000-mapping.dmp

Download
memory/1824-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads