08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682

General

Target

08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe
Size

1.3MB
MD5

13f7cabdf07a9e010d1f082ca2a37c98
SHA1

50c92a159e14ebba8881f2b84614fbd600c221d0
SHA256

08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682
SHA512

de83d7b23114fb97fff88a3c5b2084985a978b161345b38bbe36e43fd2aca8f21aa1c8d5b6f71aed49a4aa27c48c6f53fe22eb1ab9008ffc2f84d584ac812c7b
SSDEEP

24576:PNBItMyxM0iQJB7ZcuC2rzb6yvGjUIhqZWhK9gsk5ZKifEzu6WEzRvSYSo:4Y0iQJUZuieIhqZWhKCskKiMzbnl7So

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winds.exe

pid process

560 winds.exe

pid	process
560	winds.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnhehsk = "\"C:\\winds.exe\""	regedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

808 regedit.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winds.exe

pid process

560 winds.exe

pid	process
808	regedit.exe

pid	process
560	winds.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe

description	pid	process	target process
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 560	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	winds.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe
PID 1724 wrote to memory of 808	1724	08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe
"C:\Users\Admin\AppData\Local\Temp\08c44f7fee27b3afcb79c2d489aacf33b841c8b7aa521906f98bb8f838ead682.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\winds.exe
"C:\winds.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:560

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\pig.Reg
2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\pig.reg

Filesize
134B

MD5
215e37258fb5a2a471ee2fcef406b679

SHA1
bb19f94e4dc0292faf7b63be1ff90ee56f85c6c3

SHA256
67e07594c109e7f0a332ee4f4b52f55373de5484d8977d324a24a4d1b6cde3b3

SHA512
32832e635066b1d7d1f6576068c2134377ecedfc0928525984b91b54dfae704f444462b28194fabf3c66f1f96e3d4527b85c015e34cb415c473227c6ed53ece3

Download Submit
C:\winds.exe

Filesize
1.9MB

MD5
8cf0763e27396bfc49cc9a6d699bf104

SHA1
83bb3e1a2436b9b561611477674ac451c56d16fb

SHA256
55bc36816a0c727ea45d91486cef91137b0e401cdca79af20540a4d6ef524b6b

SHA512
4695d680c8fbf2f398d8ca94cd2cc3f29b3f26cf312df609aba75b02c69b75ae57bb50e00157ad5cb4e2c4f2dbff1dad9a66d70eab4e864f406244e7410ec986

Download Submit
\??\c:\textox

Filesize
191B

MD5
674a45025ac7cdf43e896b85b37a9a02

SHA1
a4aa054fa13084b49fcce9ca9291031ba40c69d8

SHA256
52249f299e58d34a28d450da877624e0aec2634441d79722f8ff685e7725335e

SHA512
1f7a225b17a2f273cc9427c1c92cc08105d37d6a907295c249da67857f8a8f37412190046ee833994fcf86bddaebcab5b853f62ad040f49c046716fbfb88159b

Download Submit
memory/560-55-0x0000000000000000-mapping.dmp

Download
memory/808-58-0x0000000000000000-mapping.dmp

Download
memory/1724-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing