9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

General

Target

9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe
Size

307KB
MD5

e3cc4251a188d7bc00ded28895883604
SHA1

6036d50f20cdc1e0fd23a2889296a57e73741d5f
SHA256

9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059
SHA512

e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599
SSDEEP

6144:9BlQ7saOC2fD0q48m6EXuKMvV8NKitvF9HYUbbF2:9BlQfl2fQqrKXtvF9f2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iziknbrng.exe

pid process

1672 iziknbrng.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1832 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeiziknbrng.exe

pid process

1832 cmd.exe
1832 cmd.exe
1672 iziknbrng.exe

pid	process
1832	cmd.exe

pid	process
1832	cmd.exe
1832	cmd.exe
1672	iziknbrng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1608 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1448 PING.EXE

pid	process
1608	taskkill.exe

pid	process
1448	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

iziknbrng.exe

pid	process
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe
1672	iziknbrng.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1608 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iziknbrng.exe

pid process

1672 iziknbrng.exe
1672 iziknbrng.exe
1672 iziknbrng.exe
1672 iziknbrng.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

iziknbrng.exe

pid process

1672 iziknbrng.exe
1672 iziknbrng.exe
1672 iziknbrng.exe
1672 iziknbrng.exe

description	pid	process
Token: SeDebugPrivilege	1608	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 1832	1104	9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe	cmd.exe
PID 1104 wrote to memory of 1832	1104	9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe	cmd.exe
PID 1104 wrote to memory of 1832	1104	9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe	cmd.exe
PID 1104 wrote to memory of 1832	1104	9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe	cmd.exe
PID 1832 wrote to memory of 1608	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 1608	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 1608	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 1608	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 1448	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1448	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1448	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1448	1832	cmd.exe	PING.EXE
PID 1832 wrote to memory of 1672	1832	cmd.exe	iziknbrng.exe
PID 1832 wrote to memory of 1672	1832	cmd.exe	iziknbrng.exe
PID 1832 wrote to memory of 1672	1832	cmd.exe	iziknbrng.exe
PID 1832 wrote to memory of 1672	1832	cmd.exe	iziknbrng.exe

C:\Users\Admin\AppData\Local\Temp\9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe
"C:\Users\Admin\AppData\Local\Temp\9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1104 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059.exe" & start C:\Users\Admin\AppData\Local\IZIKNB~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1104
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:1448

C:\Users\Admin\AppData\Local\iziknbrng.exe
C:\Users\Admin\AppData\Local\IZIKNB~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\iziknbrng.exe

Filesize
307KB

MD5
e3cc4251a188d7bc00ded28895883604

SHA1
6036d50f20cdc1e0fd23a2889296a57e73741d5f

SHA256
9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

SHA512
e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599

Download Submit
C:\Users\Admin\AppData\Local\iziknbrng.exe

Filesize
307KB

MD5
e3cc4251a188d7bc00ded28895883604

SHA1
6036d50f20cdc1e0fd23a2889296a57e73741d5f

SHA256
9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

SHA512
e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599

Download Submit
\Users\Admin\AppData\Local\iziknbrng.exe

Filesize
307KB

MD5
e3cc4251a188d7bc00ded28895883604

SHA1
6036d50f20cdc1e0fd23a2889296a57e73741d5f

SHA256
9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

SHA512
e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599

Download Submit
\Users\Admin\AppData\Local\iziknbrng.exe

Filesize
307KB

MD5
e3cc4251a188d7bc00ded28895883604

SHA1
6036d50f20cdc1e0fd23a2889296a57e73741d5f

SHA256
9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

SHA512
e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599

Download Submit
\Users\Admin\AppData\Local\iziknbrng.exe

Filesize
307KB

MD5
e3cc4251a188d7bc00ded28895883604

SHA1
6036d50f20cdc1e0fd23a2889296a57e73741d5f

SHA256
9ebde8fee95c7b1cc5043a5b51d74b3b2f3d5ca2aaa16e1b864fcc7eac4dc059

SHA512
e03de47ab361f79fb3df8367e2f8bedd8eeaf7ee1a1f64d3fbf42e570884e98ab389d4e9230af1fe8ea8b2a2001d98f87bb69fd258c4fee6ee55e47f944b1599

Download Submit
memory/1104-57-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1104-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1104-55-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1448-59-0x0000000000000000-mapping.dmp

Download
memory/1608-58-0x0000000000000000-mapping.dmp

Download
memory/1672-63-0x0000000000000000-mapping.dmp

Download
memory/1672-68-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1672-69-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1832-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads