07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6

General

Target

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
Size

97KB
MD5

e3224603fe2aaaec7a274c5d55252a04
SHA1

8e815fc7e307485fa34e12f4f8e408bb10ea23dd
SHA256

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6
SHA512

f01581ffebbde05c11de55d500b41c6129bbaa1134bbb22869ed160c9883cc40f2d9513b58e4fc5380ab05b73791477e9c496f499ca7b35ecbe928d7cda69fda
SSDEEP

1536:Q2QVxKF03OXuK9s7/sEguuULsN3rhZurqODNrrQYey6iexQ1q2rTAmjq8cMGL:DYjyuKWgEgQIhCDnQY8nxQ1BrUSqVMM

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\22276934\ImagePath = "system32\\22276934.sys"	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Loads dropped DLL 1 IoCs

Processes:

Svchost.exe

pid process

4960 Svchost.exe

pid	process
4960	Svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exeSvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\4D3C0184.tmp	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
File opened for modification	C:\Windows\SysWOW64\22276934.sys	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
File opened for modification	C:\Windows\SysWOW64\404C5E23.sys	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
File opened for modification	C:\Windows\SysWOW64\12E64342.sys	Svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description ioc process

File created C:\WINDOWS\KB2536276666.log 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\WINDOWS\KB2536276666.log	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

pid	process
2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description pid process

Token: SeLoadDriverPrivilege 2096 07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

pid	process
660

description	pid	process
Token: SeLoadDriverPrivilege	2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe

description	pid	process	target process
PID 2096 wrote to memory of 2288	2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe	cmd.exe
PID 2096 wrote to memory of 2288	2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe	cmd.exe
PID 2096 wrote to memory of 2288	2096	07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe
"C:\Users\Admin\AppData\Local\Temp\07a7daa188009040241d8ffcc0e9f760c30dae7599fbe12e7df755623d7a74d6.exe"
1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5872779e.bat" "
2⤵
PID:2288

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5872779e.bat

Filesize
303B

MD5
1e611855983f9b09c203c5c9c85df4a3

SHA1
470675aacf485efebbc05c8bd063fac87e524bbf

SHA256
30c7447ef5e5e2a003784bcf322cf94a3e63e7e4d861ae2594df8aa60778c2f2

SHA512
4ec262d3ddd3aaea29317b0ecbfa8ef52c4d640f8370a964edbd4e4bd59f0486228b485c7862ee0bdf4222411e7241bb785b93e6f84ef49dc3ef6a64058de4b0

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll

Filesize
25KB

MD5
622c4fc2bc6cbd965329dd0e2b5b24db

SHA1
0610310c0cc7e4005fdcf7d69b9810700efd7e19

SHA256
11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

SHA512
b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

Download Submit
\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
25KB

MD5
622c4fc2bc6cbd965329dd0e2b5b24db

SHA1
0610310c0cc7e4005fdcf7d69b9810700efd7e19

SHA256
11399043af5c2bd53b60e05c8e37fd3711d1086d5a0b658dd26ebd57498aacae

SHA512
b43c4f5a593ff9bd8d9490d2d23c8fb9f4c5117532ac73ee3335a6f3ab8b2ce3ceb843418a0b2e5e69c13a5bb2a575502ff2ba56a1f49baeeecddfb029c81cf5

Download Submit
memory/2096-132-0x00000000031F0000-0x00000000071F0000-memory.dmp

Filesize
64.0MB

Download
memory/2096-133-0x00000000031F0000-0x00000000071F0000-memory.dmp

Filesize
64.0MB

Download
memory/2288-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads