b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea

General

Target

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
Size

182KB
MD5

bceb88668190427c178ea7ca11f8e878
SHA1

7e2a0ad49638f2744a7bf16c2af77a2b0177461e
SHA256

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea
SHA512

3d98c0ea36b8f750b7404f8429e7a9d826150dbc12cfee018956e8c60a7f9587c4c8e3f59339cfbce4f1451f6c4e5057a5f03b864b4ca6ceb35560b7b3755e81
SSDEEP

3072:KQoOG/Xth9DrXJWCpWEPjAsq5dhTSnP18uVpw+83C8xvWPrVjr8vNaPTNfCiJY:KQ4/pLQGqhWVpw+8y8xv+p2aLLY

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

iexplore.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk iexplore.exe
Loads dropped DLL 2 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeiexplore.exe

pid process

1724 b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
1168 iexplore.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk	iexplore.exe

pid	process
1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
1168	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

description	pid	process	target process
PID 1724 set thread context of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\sccvhost.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Microsoft\sccvhost.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeiexplore.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
Token: SeDebugPrivilege	432	iexplore.exe
Token: SeDebugPrivilege	1168	iexplore.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeb1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exeiexplore.exe

description	pid	process	target process
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1724 wrote to memory of 1020	1724	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 1020 wrote to memory of 432	1020	b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe
PID 432 wrote to memory of 1168	432	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
"C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe
"C:\Users\Admin\AppData\Local\Temp\b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsu9B78.tmp\bwJbyexASCbf.dll

Filesize
118KB

MD5
bee2bc7ca85e944a77dcf8be9bd8b7e1

SHA1
561e8f534eb2da783e2aa72a678b4967d71bdf23

SHA256
2b1c9ebd08e2c2286590e20f1777b07163dfa2706f12735a9317c3423ca71bf8

SHA512
51e385786e6de3f8b432be3f9cff5709b3d059a9183314dc6f69ac8b19c0809622964471aac21f5f1a67b9fc888dc2ba9969d1e015bb4fbb93de18fb6251c90f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\sccvhost.exe

Filesize
182KB

MD5
bceb88668190427c178ea7ca11f8e878

SHA1
7e2a0ad49638f2744a7bf16c2af77a2b0177461e

SHA256
b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea

SHA512
3d98c0ea36b8f750b7404f8429e7a9d826150dbc12cfee018956e8c60a7f9587c4c8e3f59339cfbce4f1451f6c4e5057a5f03b864b4ca6ceb35560b7b3755e81

Download Submit
memory/1020-62-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-68-0x0000000000411415-mapping.dmp

Download
memory/1020-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1724-56-0x0000000001D60000-0x0000000001D86000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads