ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

General

Target

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Size

533KB
MD5

3e2feb71f64528d9b1fc89e659ecbceb
SHA1

8bc722ca6e8723915025bb3b3363e7bc26c3a120
SHA256

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f
SHA512

e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d
SSDEEP

12288:xCTPgrnZiJiAaMVkUet7EwBI+APu4UjQLDW:xCTPMAzVkUetVI5u4+SDW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\explorer.exe"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\explorer.exe\""	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

inf4D2.tmpon.exe

pid process

1120 inf4D2.tmp
1216 on.exe

pid	process
1120	inf4D2.tmp
1216	on.exe

Loads dropped DLL 4 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

pid	process
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ris = "krh.exe"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\on.exe = "C:\\Documents and Settings\\Admin\\Local Settings\\on.exe"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Drops desktop.ini file(s) 48 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
File opened for modification	\??\m:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\v:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\y:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\c:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\e:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\g:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\l:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\c:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\e:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\j:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\o:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\x:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\u:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\x:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\l:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\n:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\o:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\q:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\r:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\h:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\j:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\q:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\w:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\z:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\f:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\k:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\t:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\u:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\h:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\i:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\s:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\r:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\s:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\t:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\f:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\g:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\k:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\m:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\w:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\y:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\z:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\i:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\n:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\p:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\p:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\v:\Desktop.ini	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
File opened (read-only)	\??\h:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\m:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\p:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\r:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\v:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\z:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\g:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\k:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\n:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\q:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\t:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\e:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\l:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\s:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\u:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\x:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\f:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\i:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\j:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\o:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\w:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened (read-only)	\??\y:	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Drops autorun.inf file 1 TTPs 47 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
File created	\??\f:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\m:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\n:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\o:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\u:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\w:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\s:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\t:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\e:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\h:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\l:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\p:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\s:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\v:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\c:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\i:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\i:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\k:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\l:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\t:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	C:\Documents and Settings\Admin\Application Data\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\e:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\f:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\k:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\o:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\p:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\r:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\w:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\y:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\z:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\y:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\c:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\g:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\j:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\m:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\q:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\u:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\v:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\z:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\x:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\g:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\h:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\j:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\n:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	\??\q:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\r:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	\??\x:\Autorun.inf	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Drops file in System32 directory 5 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msvbvm60.dll	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	C:\Windows\SysWOW64\krh.exe	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	C:\Windows\SysWOW64\krh.exe	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File created	C:\Windows\SysWOW64\Mr_CoolFace.scr	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	C:\Windows\SysWOW64\Mr_CoolFace.scr	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Drops file in Windows directory 7 IoCs

Processes:

inf4D2.tmpab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
File opened for modification	C:\Windows\system.ini	inf4D2.tmp
File opened for modification	C:\Windows\win.ini	inf4D2.tmp
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
File opened for modification	C:\Windows\pss\system.ini.backup	inf4D2.tmp
File created	C:\Windows\pss\system.ini.backup	inf4D2.tmp
File opened for modification	C:\Windows\pss\win.ini.backup	inf4D2.tmp
File created	C:\Windows\pss\win.ini.backup	inf4D2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Modifies registry class 3 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

pid	process
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

pid process

1220 ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

inf4D2.tmp

description pid process

Token: SeShutdownPrivilege 1120 inf4D2.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

inf4D2.tmp

pid process

1120 inf4D2.tmp
1120 inf4D2.tmp

description	pid	process
Token: SeShutdownPrivilege	1120	inf4D2.tmp

pid	process
1120	inf4D2.tmp
1120	inf4D2.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe

description	pid	process	target process
PID 1220 wrote to memory of 1120	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	inf4D2.tmp
PID 1220 wrote to memory of 1120	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	inf4D2.tmp
PID 1220 wrote to memory of 1120	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	inf4D2.tmp
PID 1220 wrote to memory of 1120	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	inf4D2.tmp
PID 1220 wrote to memory of 1216	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	on.exe
PID 1220 wrote to memory of 1216	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	on.exe
PID 1220 wrote to memory of 1216	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	on.exe
PID 1220 wrote to memory of 1216	1220	ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe	on.exe

C:\Users\Admin\AppData\Local\Temp\ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe
"C:\Users\Admin\AppData\Local\Temp\ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Documents and Settings\Admin\Local Settings\on.exe
"C:\Documents and Settings\Admin\Local Settings\on.exe"
2⤵
- Executes dropped EXE
PID:1216

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Change Default File Association

1

T1042

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\Desktop\Message For My Princess.txt
Filesize
533KB

MD5
3e2feb71f64528d9b1fc89e659ecbceb

SHA1
8bc722ca6e8723915025bb3b3363e7bc26c3a120

SHA256
ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

SHA512
e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

Download Submit
C:\Documents and Settings\Admin\Local Settings\on.exe
Filesize
533KB

MD5
3e2feb71f64528d9b1fc89e659ecbceb

SHA1
8bc722ca6e8723915025bb3b3363e7bc26c3a120

SHA256
ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

SHA512
e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
Filesize
166KB

MD5
a81135541c9d4ebce43efa8ad31395b4

SHA1
c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74

SHA256
96cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b

SHA512
b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768

Download Submit
C:\Users\Admin\AppData\Local\on.exe
Filesize
533KB

MD5
3e2feb71f64528d9b1fc89e659ecbceb

SHA1
8bc722ca6e8723915025bb3b3363e7bc26c3a120

SHA256
ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

SHA512
e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

Download Submit
\Users\Admin\AppData\Local\Temp\inf4D2.tmp
Filesize
166KB

MD5
a81135541c9d4ebce43efa8ad31395b4

SHA1
c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74

SHA256
96cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b

SHA512
b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768

Download Submit
\Users\Admin\AppData\Local\Temp\inf4D2.tmp
Filesize
166KB

MD5
a81135541c9d4ebce43efa8ad31395b4

SHA1
c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74

SHA256
96cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b

SHA512
b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768

Download Submit
\Users\Admin\AppData\Local\on.exe
Filesize
533KB

MD5
3e2feb71f64528d9b1fc89e659ecbceb

SHA1
8bc722ca6e8723915025bb3b3363e7bc26c3a120

SHA256
ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

SHA512
e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

Download Submit
\Users\Admin\AppData\Local\on.exe
Filesize
533KB

MD5
3e2feb71f64528d9b1fc89e659ecbceb

SHA1
8bc722ca6e8723915025bb3b3363e7bc26c3a120

SHA256
ab6c6ae71ac2ad8c6705aa842bbb689ef2cd69208294536f33fe671ed7ed390f

SHA512
e28290e9d8b2795d1fa8195e3f4a9bee70cf278f30ae8197d2fd33fa631fe40878705f4f5e9df1dd17138d509ac24ed546c503fc54d253ffe8c51a345c9fcc1d

Download Submit
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1216-62-0x0000000000000000-mapping.dmp

Download
memory/1220-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads