0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

General

Target

0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe
Size

424KB
MD5

71f01b78a45ba903a9f7cad4beee8511
SHA1

6347bb8353bab5eb34901ca5a9c16e51e3781bcb
SHA256

0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65
SHA512

df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8
SSDEEP

6144:Khw2iWEIYVQ5AFZn1yiRnxqFcIjlbgZ6d8U7DdwW9bI2:1NIYq5AxpZIBbO6N7DdxP

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

wckqocnvu.exe

pid process

1568 wckqocnvu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2000 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exewckqocnvu.exe

pid process

2000 cmd.exe
2000 cmd.exe
1568 wckqocnvu.exe

pid	process
1568	wckqocnvu.exe

pid	process
2000	cmd.exe

pid	process
2000	cmd.exe
2000	cmd.exe
1568	wckqocnvu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1976 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

908 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1976 taskkill.exe

pid	process
1976	taskkill.exe

pid	process
908	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.execmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 2000	1172	0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe	cmd.exe
PID 1172 wrote to memory of 2000	1172	0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe	cmd.exe
PID 1172 wrote to memory of 2000	1172	0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe	cmd.exe
PID 1172 wrote to memory of 2000	1172	0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe	cmd.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 1976	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 908	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 908	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 908	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 908	2000	cmd.exe	PING.EXE
PID 2000 wrote to memory of 1568	2000	cmd.exe	wckqocnvu.exe
PID 2000 wrote to memory of 1568	2000	cmd.exe	wckqocnvu.exe
PID 2000 wrote to memory of 1568	2000	cmd.exe	wckqocnvu.exe
PID 2000 wrote to memory of 1568	2000	cmd.exe	wckqocnvu.exe

C:\Users\Admin\AppData\Local\Temp\0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe
"C:\Users\Admin\AppData\Local\Temp\0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1172 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65.exe" & start C:\Users\Admin\AppData\Local\WCKQOC~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1172
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:908

C:\Users\Admin\AppData\Local\wckqocnvu.exe
C:\Users\Admin\AppData\Local\WCKQOC~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\wckqocnvu.exe

Filesize
424KB

MD5
71f01b78a45ba903a9f7cad4beee8511

SHA1
6347bb8353bab5eb34901ca5a9c16e51e3781bcb

SHA256
0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

SHA512
df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8

Download Submit
C:\Users\Admin\AppData\Local\wckqocnvu.exe

Filesize
424KB

MD5
71f01b78a45ba903a9f7cad4beee8511

SHA1
6347bb8353bab5eb34901ca5a9c16e51e3781bcb

SHA256
0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

SHA512
df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8

Download Submit
\Users\Admin\AppData\Local\wckqocnvu.exe

Filesize
424KB

MD5
71f01b78a45ba903a9f7cad4beee8511

SHA1
6347bb8353bab5eb34901ca5a9c16e51e3781bcb

SHA256
0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

SHA512
df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8

Download Submit
\Users\Admin\AppData\Local\wckqocnvu.exe

Filesize
424KB

MD5
71f01b78a45ba903a9f7cad4beee8511

SHA1
6347bb8353bab5eb34901ca5a9c16e51e3781bcb

SHA256
0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

SHA512
df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8

Download Submit
\Users\Admin\AppData\Local\wckqocnvu.exe

Filesize
424KB

MD5
71f01b78a45ba903a9f7cad4beee8511

SHA1
6347bb8353bab5eb34901ca5a9c16e51e3781bcb

SHA256
0c812dfb1a04bb0f7567dad5c7604db6350544bba08b2baf5ab02d912c700d65

SHA512
df7a532630038573b6c7d6937e3b7082c570c0696cc5517bfdacb1cfc59aceb28683a49cc3b88123737e9be26baa6cd1c07854dfd4b62cf021ffe61b4241add8

Download Submit
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/1172-57-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1172-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1172-55-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1568-63-0x0000000000000000-mapping.dmp

Download
memory/1568-67-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1568-68-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1976-58-0x0000000000000000-mapping.dmp

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing