4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

General

Target

4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe
Size

352KB
MD5

cfd27960b1e83830d2c2cbec212760e9
SHA1

a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8
SHA256

4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466
SHA512

2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47
SSDEEP

6144:Vur7albN2G5L1kJKYBJag47Z+QiEvoI413US/85cYNNz:sr7az2agXQiEvoI4JUSQPN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xwflwlqlnr.exe

pid process

336 xwflwlqlnr.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2040 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exexwflwlqlnr.exe

pid process

2040 cmd.exe
2040 cmd.exe
336 xwflwlqlnr.exe

pid	process
336	xwflwlqlnr.exe

pid	process
2040	cmd.exe

pid	process
2040	cmd.exe
2040	cmd.exe
336	xwflwlqlnr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1012 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1148 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1012 taskkill.exe

pid	process
1012	taskkill.exe

pid	process
1148	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1012	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.execmd.exe

description	pid	process	target process
PID 1308 wrote to memory of 2040	1308	4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe	cmd.exe
PID 1308 wrote to memory of 2040	1308	4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe	cmd.exe
PID 1308 wrote to memory of 2040	1308	4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe	cmd.exe
PID 1308 wrote to memory of 2040	1308	4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe	cmd.exe
PID 2040 wrote to memory of 1012	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1012	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1012	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1012	2040	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1148	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1148	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1148	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1148	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 336	2040	cmd.exe	xwflwlqlnr.exe
PID 2040 wrote to memory of 336	2040	cmd.exe	xwflwlqlnr.exe
PID 2040 wrote to memory of 336	2040	cmd.exe	xwflwlqlnr.exe
PID 2040 wrote to memory of 336	2040	cmd.exe	xwflwlqlnr.exe

C:\Users\Admin\AppData\Local\Temp\4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe
"C:\Users\Admin\AppData\Local\Temp\4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1308 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466.exe" & start C:\Users\Admin\AppData\Local\XWFLWL~1.EXE -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /pid 1308
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:1148
- - C:\Users\Admin\AppData\Local\xwflwlqlnr.exe
    C:\Users\Admin\AppData\Local\XWFLWL~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xwflwlqlnr.exe

Filesize
352KB

MD5
cfd27960b1e83830d2c2cbec212760e9

SHA1
a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8

SHA256
4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

SHA512
2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47

Download Submit
C:\Users\Admin\AppData\Local\xwflwlqlnr.exe

Filesize
352KB

MD5
cfd27960b1e83830d2c2cbec212760e9

SHA1
a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8

SHA256
4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

SHA512
2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47

Download Submit
\Users\Admin\AppData\Local\xwflwlqlnr.exe

Filesize
352KB

MD5
cfd27960b1e83830d2c2cbec212760e9

SHA1
a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8

SHA256
4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

SHA512
2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47

Download Submit
\Users\Admin\AppData\Local\xwflwlqlnr.exe

Filesize
352KB

MD5
cfd27960b1e83830d2c2cbec212760e9

SHA1
a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8

SHA256
4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

SHA512
2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47

Download Submit
\Users\Admin\AppData\Local\xwflwlqlnr.exe

Filesize
352KB

MD5
cfd27960b1e83830d2c2cbec212760e9

SHA1
a0a85dcb5daf9c25c49f23b98ffb2ff17ea778e8

SHA256
4852da4dbb190d3d4b331d0842d486fac5b9df9619e70fa387de579a9e428466

SHA512
2e01c0e604daa19ef65ec52cc32731cb1d997ec7c7f68b92738f9e8becf0db8e75976b5ca347b9089824c4e92471a25a3b70d5190675440bcf803b50b006dd47

Download Submit
memory/336-63-0x0000000000000000-mapping.dmp

Download
memory/336-67-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/336-68-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1012-58-0x0000000000000000-mapping.dmp

Download
memory/1148-59-0x0000000000000000-mapping.dmp

Download
memory/1308-57-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1308-54-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1308-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing