2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04

General

Target

2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
Size

370KB
MD5

564bf6e1e4b3773bb3cfdad1a42d5eed
SHA1

b3601c1eacf1a0662f0d892f07473e0045385a68
SHA256

2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04
SHA512

172e44ecb7fb114487493752bd3cd00a6eee88a041acc108493310513b3f36d274e0fbbeb28897eba5e7982ab7626d118a9f4333b493251029017d49ffe544b0
SSDEEP

6144:9/aUsuryt1achgVK4wOp95awAFRxH0z6ftuSYGyQxU:9/aUsuYachgVK4/4xu6ftutGyh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uninit.exe

pid process

1728 uninit.exe

pid	process
1728	uninit.exe

Loads dropped DLL 5 IoCs

Processes:

2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe

pid	process
1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcket_x86 = "C:\\Program Files (x86)\\BaiduEx\\uninit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\pcket_x64 = "C:\\Program Files\\BaiduEx\\uninit.exe"	regedit.exe

Drops file in Program Files directory 8 IoCs

Processes:

2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exeuninit.exe

description	ioc	process
File created	C:\Program Files (x86)\BaiduEx\uninit.dat	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
File opened for modification	C:\Program Files (x86)\BaiduEx\uninit.dat	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
File created	C:\Program Files (x86)\BaiduEx\BaiduLog.txt	uninit.exe
File created	C:\Program Files (x86)\BaiduEx\log.txt	uninit.exe
File opened for modification	C:\Program Files (x86)\BaiduEx	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
File created	C:\Program Files (x86)\BaiduEx\__tmp_rar_sfx_access_check_7073100	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
File created	C:\Program Files (x86)\BaiduEx\uninit.exe	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
File opened for modification	C:\Program Files (x86)\BaiduEx\uninit.exe	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1928 regedit.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

uninit.exe

pid process

1728 uninit.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uninit.exe

description pid process

Token: SeDebugPrivilege 1728 uninit.exe

pid	process
1928	regedit.exe

pid	process
1728	uninit.exe

description	pid	process
Token: SeDebugPrivilege	1728	uninit.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe

description	pid	process	target process
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1928	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	regedit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe
PID 1996 wrote to memory of 1728	1996	2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe	uninit.exe

C:\Users\Admin\AppData\Local\Temp\2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe
"C:\Users\Admin\AppData\Local\Temp\2f3c9975236c099013608ac9852e6c3b9b5677687e28c5683c1ecae38e02bb04.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s uninit.dat
2⤵
- Adds Run key to start application
- Runs regedit.exe
PID:1928

C:\Program Files (x86)\BaiduEx\uninit.exe
"C:\Program Files (x86)\BaiduEx\uninit.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BaiduEx\uninit.dat

Filesize
221B

MD5
cc8f1f61ba0a0a52bf5f7ac19aea3ffd

SHA1
6a27d216431f894636adce83a93cd61ff3f651ce

SHA256
07441e131575ba491ca505d45fd138c1e6cf0bac009383141dd843f3aab52cba

SHA512
82a117545ed7d6242416d7ff5a4a711c3246e0b2954b44efab89a7a756820a0885972cd7986806b43d557620d36c88127f73346fd8363586695c64b861ba0221

Download Submit
C:\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
\Program Files (x86)\BaiduEx\uninit.exe

Filesize
628KB

MD5
974c23a3c4014506c6a37bbc455ad9e5

SHA1
6eed0b0ef17f04acdbeda2ccccb46cf2f3b701d7

SHA256
80d05c9bcd795fdfd80c7e422f95bb5d73feb6465442f0108b95d72540aa0316

SHA512
a3cba317fc12ed762e86c7d40ec8c360703d838001b94a1b06f3b08b46e64ccfb446b3e5125a0ff11f6864f96bbc63a9b74d9710fbb292e09835de9e687923ef

Download Submit
memory/1728-62-0x0000000000000000-mapping.dmp

Download
memory/1928-55-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads