a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

General

Target

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
Size

388KB
MD5

ee48923e9421a22a7ce1af204faf3495
SHA1

91e2e2894c5a291deece18edf727bff17460b267
SHA256

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d
SHA512

f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d
SSDEEP

6144:08tK5Ggk1+vOd0RneBRQALcMqB6D5B1RDHmIEaqddK:uMgk1Yd8R2MqIDz1xHmIPQg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

System.exeSystem.exe

pid process

760 System.exe
1280 System.exe

pid	process
760	System.exe
1280	System.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Torrent = "\"C:\\windows\\System.exe\""	System.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	pid	process	target process
PID 2024 set thread context of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 760 set thread context of 1280	760	System.exe	System.exe

Drops file in Windows directory 3 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	ioc	process
File created	\??\c:\windows\System.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
File opened for modification	\??\c:\windows\System.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
File opened for modification	C:\windows\System.exe	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

pid process

2024 a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
760 System.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

pid process

2024 a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
760 System.exe

pid	process
2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
760	System.exe

pid	process
2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
760	System.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exea509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	pid	process	target process
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 2024 wrote to memory of 1968	2024	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1968 wrote to memory of 760	1968	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 1968 wrote to memory of 760	1968	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 1968 wrote to memory of 760	1968	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 1968 wrote to memory of 760	1968	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe
PID 760 wrote to memory of 1280	760	System.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
"C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
"C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\windows\System.exe
"C:\windows\System.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\windows\System.exe
"C:\windows\System.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System.exe

Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
C:\Windows\System.exe

Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
C:\windows\System.exe

Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
memory/760-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/760-71-0x0000000000000000-mapping.dmp

Download
memory/1280-94-0x00000000005E0000-0x0000000000628000-memory.dmp

Filesize
288KB

Download
memory/1280-93-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1280-92-0x00000000005E0000-0x0000000000628000-memory.dmp

Filesize
288KB

Download
memory/1280-91-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1280-86-0x00000000004071F0-mapping.dmp

Download
memory/1968-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-69-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1968-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-66-0x00000000004071F0-mapping.dmp

Download
memory/1968-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1968-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2024-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2024-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads