d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

General

Target

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Size

120KB
MD5

51f86c354e4ab979d95fecb94d3b0b70
SHA1

d1179bc4eda4552d3f45a33e9de961ce557eeefe
SHA256

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0
SHA512

b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41
SSDEEP

3072:9rGsyN4JR+uvNs1z2ty21H3rZYi91DbVNKvUb:9YOys3rCinDZF

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

Executes dropped EXE 1 IoCs

Processes:

tmsspUse.exe

pid process

940 tmsspUse.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1168 netsh.exe
4836 netsh.exe

pid	process
940	tmsspUse.exe

pid	process
1168	netsh.exe
4836	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exetmsspUse.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmsspUse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmsspUse = "C:\\ProgramData\\e015724145fa328f840ff71950e4e97e\\tmsspUse.exe"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 bot.whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

tmsspUse.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings tmsspUse.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exetmsspUse.exe

pid process

1568 d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
940 tmsspUse.exe

flow	ioc
6	bot.whatismyipaddress.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	tmsspUse.exe

pid	process
1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
940	tmsspUse.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exetmsspUse.exe

description	pid	process
Token: SeDebugPrivilege	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Token: SeDebugPrivilege	940	tmsspUse.exe
Token: SeDebugPrivilege	940	tmsspUse.exe
Token: SeDebugPrivilege	940	tmsspUse.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exetmsspUse.exe

description	pid	process	target process
PID 1568 wrote to memory of 1168	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1568 wrote to memory of 1168	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1568 wrote to memory of 1168	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	netsh.exe
PID 1568 wrote to memory of 940	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	tmsspUse.exe
PID 1568 wrote to memory of 940	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	tmsspUse.exe
PID 1568 wrote to memory of 940	1568	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe	tmsspUse.exe
PID 940 wrote to memory of 4836	940	tmsspUse.exe	netsh.exe
PID 940 wrote to memory of 4836	940	tmsspUse.exe	netsh.exe
PID 940 wrote to memory of 4836	940	tmsspUse.exe	netsh.exe
PID 940 wrote to memory of 1740	940	tmsspUse.exe	WScript.exe
PID 940 wrote to memory of 1740	940	tmsspUse.exe	WScript.exe
PID 940 wrote to memory of 1740	940	tmsspUse.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe

C:\Users\Admin\AppData\Local\Temp\d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe
"C:\Users\Admin\AppData\Local\Temp\d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:1168

C:\ProgramData\e015724145fa328f840ff71950e4e97e\tmsspUse.exe
"C:\ProgramData\e015724145fa328f840ff71950e4e97e\tmsspUse.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" Firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:4836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\cihJsSW.vbs"
3⤵
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\.{7e16feb9-fead-31b3-a3bc-d6c2a2e1225e}\7e16feb9fead31b3a3bcd6c2a2e1225e

Filesize
43B

MD5
a8cec84ea0ac4bb9b26c649e9e7b635d

SHA1
84b4a6f48e27eeeaaf23c9abfa5d512921f744ee

SHA256
d099ee8e6cec41525d2930f09a27fe7af671ac41e4ecded04be94bd213253a9b

SHA512
05ba46c1d53b20d799f4ae632690d9a2438eb5f15a7d6bbc2fc1d74539e3916be839420d89a1c85e07babbb565709bdb2851989ec6872c4ddea0e9f947c71008

Download Submit
C:\ProgramData\cihJsSW.vbs

Filesize
682B

MD5
72be9773359848c6243acb0a3266f044

SHA1
69512fdbd8d7ab605c3ec269b329b144afbb4f4d

SHA256
ce63603c45e928404c750c4eeea81d5fd706404029dd59aeb4cf14ed9d2588db

SHA512
917692a7ef87c7711ce611dcb05a9998aaab1dbdf276fdcb0ace8ddd4fb627f4ee1a6b3e76863fd7e77e6be5364b226e8be38544bae2edec3ef3f8010d895bcd

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\tmsspUse.exe

Filesize
120KB

MD5
51f86c354e4ab979d95fecb94d3b0b70

SHA1
d1179bc4eda4552d3f45a33e9de961ce557eeefe

SHA256
d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

SHA512
b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41

Download Submit
C:\ProgramData\e015724145fa328f840ff71950e4e97e\tmsspUse.exe

Filesize
120KB

MD5
51f86c354e4ab979d95fecb94d3b0b70

SHA1
d1179bc4eda4552d3f45a33e9de961ce557eeefe

SHA256
d7ce5a6c2d6075a801a4af765dc3e528cf371dc3b05aae249ba3d2433ec5bbd0

SHA512
b3f89b2c5b740733808432edb6f63b7424a968a0537fcaa7d207326cce8214ecce29ed384b65303ab2dc06118459a750f0229b09a1a4a4667bebad57abde1f41

Download Submit
memory/940-140-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/940-144-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/940-135-0x0000000000000000-mapping.dmp

Download
memory/1168-134-0x0000000000000000-mapping.dmp

Download
memory/1568-138-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1568-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1568-133-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/1740-142-0x0000000000000000-mapping.dmp

Download
memory/4836-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads