486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200

General

Target

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
Size

68KB
MD5

e6b99d2f00e4c19a852d9d57a6f9db1d
SHA1

fd6b0c8aaf752df46f5962defc69b7b1b0b56b22
SHA256

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200
SHA512

1489117cbc6eb89cbddd2872a2d68b05a7ebec5b8c9a520e4331ca29a0a8a6d55acb994f1c368069e259c025e00e1419da4155120ff51d7136e9813465625f41
SSDEEP

768:Wc2liTdScAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:t2IxbAcqOK3qowgnt1d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exeAdmin.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

Processes:

Admin.exe

pid process

2024 Admin.exe

pid	process
2024	Admin.exe

Loads dropped DLL 2 IoCs

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe

pid	process
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exeAdmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exeAdmin.exe

pid	process
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe
976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024	Admin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exeAdmin.exe

pid process

976 486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
2024 Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe

description	pid	process	target process
PID 976 wrote to memory of 2024	976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe	Admin.exe
PID 976 wrote to memory of 2024	976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe	Admin.exe
PID 976 wrote to memory of 2024	976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe	Admin.exe
PID 976 wrote to memory of 2024	976	486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe	Admin.exe

C:\Users\Admin\AppData\Local\Temp\486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe
"C:\Users\Admin\AppData\Local\Temp\486d1e8a7d0bd85c206ca8ce71fbe5314eca5cf5d8dcac41ce88e68ba8729200.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
68KB

MD5
bde4c7dcbe1522667bb63f51a9e8cf48

SHA1
1aa4ca6f461fa9570f1cdc61a5c1ab67fd389280

SHA256
05c5a1d8c732a84db2c2a912d3e4bc1030bdeff2d196f216002ca1ae8993c5aa

SHA512
51fc27b79a4f438e60617cc7a3f37a3398ad449b009522f94da00c39989df02ee3a36e175642160cbccb2f55eaad5cad470e1c67e234dc9ec3cca37266efdacd

Download Submit
\Users\Admin\Admin.exe

Filesize
68KB

MD5
bde4c7dcbe1522667bb63f51a9e8cf48

SHA1
1aa4ca6f461fa9570f1cdc61a5c1ab67fd389280

SHA256
05c5a1d8c732a84db2c2a912d3e4bc1030bdeff2d196f216002ca1ae8993c5aa

SHA512
51fc27b79a4f438e60617cc7a3f37a3398ad449b009522f94da00c39989df02ee3a36e175642160cbccb2f55eaad5cad470e1c67e234dc9ec3cca37266efdacd

Download Submit
\Users\Admin\Admin.exe

Filesize
68KB

MD5
bde4c7dcbe1522667bb63f51a9e8cf48

SHA1
1aa4ca6f461fa9570f1cdc61a5c1ab67fd389280

SHA256
05c5a1d8c732a84db2c2a912d3e4bc1030bdeff2d196f216002ca1ae8993c5aa

SHA512
51fc27b79a4f438e60617cc7a3f37a3398ad449b009522f94da00c39989df02ee3a36e175642160cbccb2f55eaad5cad470e1c67e234dc9ec3cca37266efdacd

Download Submit
memory/976-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/976-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download
memory/2024-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads