d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

General

Target

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Size

120KB
MD5

51f86c354e4ab979d95fecb94d3b0b70
SHA1

d1179bc4eda4552d3f45a33e9de961ce557eeefe
SHA256

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0
SHA512

b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41
SSDEEP

3072:9rGsyN4JR+uvNs1z2ty21H3rZYi91DbVNKvUb:9YOys3rCinDZF

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

Executes dropped EXE 1 IoCs

Processes:

aleephoMsdtcVS.exe

pid process

1508 aleephoMsdtcVS.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1660 netsh.exe
2008 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

pid process

1404 d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

pid	process
1508	aleephoMsdtcVS.exe

pid	process
1660	netsh.exe
2008	netsh.exe

pid	process
1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\aleephoMsdtcVS = "C:\\ProgramData\\e015724145fa328f840ff71950e4e97e\\aleephoMsdtcVS.exe"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 bot.whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exealeephoMsdtcVS.exe

pid process

1404 d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
1508 aleephoMsdtcVS.exe

flow	ioc
5	bot.whatismyipaddress.com

pid	process
1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
1508	aleephoMsdtcVS.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exealeephoMsdtcVS.exe

description	pid	process
Token: SeDebugPrivilege	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	1508	aleephoMsdtcVS.exe
Token: SeDebugPrivilege	1508	aleephoMsdtcVS.exe
Token: SeDebugPrivilege	1508	aleephoMsdtcVS.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exealeephoMsdtcVS.exe

description	pid	process	target process
PID 1404 wrote to memory of 1660	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1404 wrote to memory of 1660	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1404 wrote to memory of 1660	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1404 wrote to memory of 1660	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1404 wrote to memory of 1508	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	aleephoMsdtcVS.exe
PID 1404 wrote to memory of 1508	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	aleephoMsdtcVS.exe
PID 1404 wrote to memory of 1508	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	aleephoMsdtcVS.exe
PID 1404 wrote to memory of 1508	1404	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	aleephoMsdtcVS.exe
PID 1508 wrote to memory of 2008	1508	aleephoMsdtcVS.exe	netsh.exe
PID 1508 wrote to memory of 2008	1508	aleephoMsdtcVS.exe	netsh.exe
PID 1508 wrote to memory of 2008	1508	aleephoMsdtcVS.exe	netsh.exe
PID 1508 wrote to memory of 2008	1508	aleephoMsdtcVS.exe	netsh.exe
PID 1508 wrote to memory of 1172	1508	aleephoMsdtcVS.exe	WScript.exe
PID 1508 wrote to memory of 1172	1508	aleephoMsdtcVS.exe	WScript.exe
PID 1508 wrote to memory of 1172	1508	aleephoMsdtcVS.exe	WScript.exe
PID 1508 wrote to memory of 1172	1508	aleephoMsdtcVS.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

C:\Users\Admin\AppData\Local\Temp\d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
"C:\Users\Admin\AppData\Local\Temp\d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1404

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:1660

C:\ProgramData\e015724145fa328f840ff71950e4e97e\aleephoMsdtcVS.exe
"C:\ProgramData\e015724145fa328f840ff71950e4e97e\aleephoMsdtcVS.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:2008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\rnbtSjL.vbs"
3⤵
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{7e16feb9-fead-31b3-a3bc-d6c2a2e1225e}\7e16feb9fead31b3a3bcd6c2a2e1225e

Filesize
43B

MD5
170921e81faf07e5152c2155dc418efa

SHA1
6c8e64b4f21ccb5023fcc4201edb8f6496e682af

SHA256
c1c7885cf4f0c0a1ef7431199406cd286fea6d11fb4eedb3bb1debf29794c459

SHA512
72365d393945af2cbd5dc2f7962eef04b5fe7762a8152f0a2887078591993df1d5b2a7b0bda3eb7451498ae3c8aa2f944cd1a36c2f0d77b7be914c85af30db30

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\aleephoMsdtcVS.exe

Filesize
120KB

MD5
51f86c354e4ab979d95fecb94d3b0b70

SHA1
d1179bc4eda4552d3f45a33e9de961ce557eeefe

SHA256
d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

SHA512
b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\aleephoMsdtcVS.exe

Filesize
120KB

MD5
51f86c354e4ab979d95fecb94d3b0b70

SHA1
d1179bc4eda4552d3f45a33e9de961ce557eeefe

SHA256
d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

SHA512
b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41

Download Submit
C:\ProgramData\rnbtSjL.vbs

Filesize
689B

MD5
ccff19c479cbd1616ef6c8ecea8bd934

SHA1
061a26e96ad8f32fae4a4313dd79fd3d49c1bc9b

SHA256
581bef25a8ddc1ab8c7a287147e0b61019b4d8ea68060f0df12e314ceb34ceec

SHA512
63e978f70638d014396eae874ac90998ef6dac49970090772a8228649a965246fe915c67428c9211a134ad2054e111d84985e7c98582e373e04f6c75a5f7c354

Download Submit
\ProgramData\e015724145fa328f840ff71950e4e97e\aleephoMsdtcVS.exe

Filesize
120KB

MD5
51f86c354e4ab979d95fecb94d3b0b70

SHA1
d1179bc4eda4552d3f45a33e9de961ce557eeefe

SHA256
d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

SHA512
b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41

Download Submit
memory/1172-68-0x0000000000000000-mapping.dmp

Download
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1404-63-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1404-56-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-59-0x0000000000000000-mapping.dmp

Download
memory/1508-67-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-71-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-55-0x0000000000000000-mapping.dmp

Download
memory/2008-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads