4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb

General

Target

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
Size

624KB
MD5

258ede4f329b11d7bca0d1c138d56757
SHA1

bb697f049324387fb35e389077c633cbda339837
SHA256

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb
SHA512

b87244b41bb9309d8e7dc3f7b11c939e6ef05d5fa3bdda063a613cb499d0713aea82cd64e31e5a9e79edbf715915280c79d5aa1416c7d391b1b0616885810af1
SSDEEP

6144:dVY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bco2KWz:dgDhdkq5BCoC5LfWSLTUQpr2Zu19Q3z

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe IEXPLOREi.exe"	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

Disables Task Manager via registry modification
evasion

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4348-132-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/4348-137-0x0000000000400000-0x000000000049D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\IEXPLOREi.exe"	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4348-132-0x0000000000400000-0x000000000049D000-memory.dmp	autoit_exe
behavioral2/memory/4348-137-0x0000000000400000-0x000000000049D000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WORD.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
File opened for modification	C:\Windows\SysWOW64\WORD.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
File opened for modification	C:\Windows\SysWOW64\autorun.ini	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
File created	C:\Windows\SysWOW64\IEXPLOREi.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
File opened for modification	C:\Windows\SysWOW64\IEXPLOREi.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

Drops file in Windows directory 2 IoCs

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

description	ioc	process
File created	C:\Windows\IEXPLOREi.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
File opened for modification	C:\Windows\IEXPLOREi.exe	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

pid	process
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.execmd.execmd.exe

description	pid	process	target process
PID 4348 wrote to memory of 856	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 4348 wrote to memory of 856	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 4348 wrote to memory of 856	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 856 wrote to memory of 4156	856	cmd.exe	at.exe
PID 856 wrote to memory of 4156	856	cmd.exe	at.exe
PID 856 wrote to memory of 4156	856	cmd.exe	at.exe
PID 4348 wrote to memory of 4880	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 4348 wrote to memory of 4880	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 4348 wrote to memory of 4880	4348	4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe	cmd.exe
PID 4880 wrote to memory of 2768	4880	cmd.exe	at.exe
PID 4880 wrote to memory of 2768	4880	cmd.exe	at.exe
PID 4880 wrote to memory of 2768	4880	cmd.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe
"C:\Users\Admin\AppData\Local\Temp\4f3b70bc516eea31e7dcea41641a655a5b1b6ef110e7e57e8cf6ad9044f03dfb.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\at.exe
AT /delete /yes
3⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
3⤵
PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-133-0x0000000000000000-mapping.dmp

Download
memory/2768-136-0x0000000000000000-mapping.dmp

Download
memory/4156-134-0x0000000000000000-mapping.dmp

Download
memory/4348-132-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4348-137-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4880-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads