6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168

General

Target

6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe
Size

2.4MB
MD5

335b591e290f9dea803db38e1f325bef
SHA1

6e02720b0b39e9ac7424bcb4697e1272cc391617
SHA256

6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168
SHA512

5b14b5a6530556b02dfdfaf5b8c5203d53cf7b71ab909032782a1485012aea9b11bfffdd447997010af7aca0412d2b9921ee20ed2556db0f5041288beae181b2
SSDEEP

49152:P41aYdE+D7tE/bSadhHmesfGSXiLHJ26EOe:PYJW+DC/bSayeUYve

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yjkpmzpy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mlbhiegj\\Yjkpmzpy.exe\""	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe

description	pid	process	target process
PID 1848 set thread context of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1308 PING.EXE

pid	process
1308	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMSBuild.exe

pid	process
2028	powershell.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe
1836	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe
Token: SeDebugPrivilege	1836	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.execmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 856	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	cmd.exe
PID 1848 wrote to memory of 856	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	cmd.exe
PID 1848 wrote to memory of 856	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	cmd.exe
PID 856 wrote to memory of 1308	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 1308	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 1308	856	cmd.exe	PING.EXE
PID 1848 wrote to memory of 2028	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	powershell.exe
PID 1848 wrote to memory of 2028	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	powershell.exe
PID 1848 wrote to memory of 2028	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	powershell.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe
PID 1848 wrote to memory of 1836	1848	6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe
"C:\Users\Admin\AppData\Local\Temp\6c5a4429b32795b89ea0bed4af115cd5edb9c3d7c1832aab72f73c691b122168.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-56-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x0000000000000000-mapping.dmp

Download
memory/1836-80-0x000000001B280000-0x000000001B2CC000-memory.dmp

Filesize
304KB

Download
memory/1836-83-0x000000001B8C6000-0x000000001B8E5000-memory.dmp

Filesize
124KB

Download
memory/1836-82-0x00000000020D0000-0x00000000020E6000-memory.dmp

Filesize
88KB

Download
memory/1836-81-0x000000001B8C6000-0x000000001B8E5000-memory.dmp

Filesize
124KB

Download
memory/1836-68-0x0000000140000000-0x000000014007C000-memory.dmp

Filesize
496KB

Download
memory/1836-79-0x0000000002330000-0x0000000002386000-memory.dmp

Filesize
344KB

Download
memory/1836-78-0x000000001B7B0000-0x000000001B850000-memory.dmp

Filesize
640KB

Download
memory/1836-71-0x0000000140000000-0x000000014007C000-memory.dmp

Filesize
496KB

Download
memory/1836-74-0x0000000140000000-mapping.dmp

Download
memory/1836-73-0x0000000140000000-0x000000014007C000-memory.dmp

Filesize
496KB

Download
memory/1836-69-0x0000000140000000-0x000000014007C000-memory.dmp

Filesize
496KB

Download
memory/1848-76-0x000000001AC87000-0x000000001ACA6000-memory.dmp

Filesize
124KB

Download
memory/1848-54-0x000000013F950000-0x000000013FBB4000-memory.dmp

Filesize
2.4MB

Download
memory/1848-62-0x000000001AC87000-0x000000001ACA6000-memory.dmp

Filesize
124KB

Download
memory/1848-58-0x000000001BC90000-0x000000001BEF6000-memory.dmp

Filesize
2.4MB

Download
memory/1848-55-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/2028-67-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2028-66-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2028-65-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2028-64-0x0000000002330000-0x00000000023B0000-memory.dmp

Filesize
512KB

Download
memory/2028-63-0x000007FEEA160000-0x000007FEEACBD000-memory.dmp

Filesize
11.4MB

Download
memory/2028-61-0x000007FEEACC0000-0x000007FEEB6E3000-memory.dmp

Filesize
10.1MB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads