3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6

General

Target

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
Size

110KB
MD5

4097cecc9d744ab90952f06201687fec
SHA1

acd495700fe471ff920cfef79d60a690d472cebb
SHA256

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6
SHA512

4375a51837ce76cd7f474386728e126842d3212b1f21a988f49e8f5a76ecf66e4af5a86042638f1a1a004f424c6c099c74f0e0d1c65e4015760a2eff421af329
SSDEEP

3072:hCARRIiUzPB7DFWE3iHlK+3DjFQiTQ+xCiPvhZNExEY:hNut5v67LCivhZNEx

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H723CA60-7GD4-SJ17-2HL8-EE882DXF4W4G}	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H723CA60-7GD4-SJ17-2HL8-EE882DXF4W4G}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe\""	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

Loads dropped DLL 1 IoCs

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

pid process

1808 3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

pid	process
1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe"	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinApp\\GoogleUpdate.exe.lnk"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

description	pid	process	target process
PID 1808 set thread context of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

pid process

1808 3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

description pid process

Token: SeDebugPrivilege 1808 3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

pid	process
1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

description	pid	process
Token: SeDebugPrivilege	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.execmd.exe

description	pid	process	target process
PID 1808 wrote to memory of 544	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	cmd.exe
PID 1808 wrote to memory of 544	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	cmd.exe
PID 1808 wrote to memory of 544	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	cmd.exe
PID 1808 wrote to memory of 544	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	cmd.exe
PID 544 wrote to memory of 1112	544	cmd.exe	reg.exe
PID 544 wrote to memory of 1112	544	cmd.exe	reg.exe
PID 544 wrote to memory of 1112	544	cmd.exe	reg.exe
PID 544 wrote to memory of 1112	544	cmd.exe	reg.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
PID 1808 wrote to memory of 552	1808	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe	3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe

C:\Users\Admin\AppData\Local\Temp\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
"C:\Users\Admin\AppData\Local\Temp\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "GoogleUpdate" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe.lnk"
3⤵
- Adds Run key to start application
PID:1112

C:\Users\Admin\AppData\Local\Temp\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe
"C:\Users\Admin\AppData\Local\Temp\3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6.exe"
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\WinApp\GoogleUpdate.exe

Filesize
110KB

MD5
4097cecc9d744ab90952f06201687fec

SHA1
acd495700fe471ff920cfef79d60a690d472cebb

SHA256
3123f81dacea1173ae18aa0944df82d57f2465ba148216793f04ecee476304e6

SHA512
4375a51837ce76cd7f474386728e126842d3212b1f21a988f49e8f5a76ecf66e4af5a86042638f1a1a004f424c6c099c74f0e0d1c65e4015760a2eff421af329

Download Submit
memory/544-59-0x0000000000000000-mapping.dmp

Download
memory/552-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-69-0x0000000000401FEC-mapping.dmp

Download
memory/552-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/552-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1112-60-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download
memory/1808-57-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-73-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-74-0x0000000000C96000-0x0000000000CA7000-memory.dmp

Filesize
68KB

Download
memory/1808-56-0x0000000000C96000-0x0000000000CA7000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads