1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

General

Target

1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
Size

1.1MB
MD5

02daff1e68eb29b7f4bbf6cf8254478a
SHA1

5a61f408b0e6a04f30735f7aa62f023781d6a6aa
SHA256

1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee
SHA512

87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb
SSDEEP

24576:m4lavt0LkLL9IMixoEgeahTPUQO7LbWp/Mq9MmCS:xkwkn9IMHeaxPOTWpkaPCS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

movie.exe

pid process

1292 movie.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1496 cmd.exe

pid	process
1496	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe

pid	process
2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

movie.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	movie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\movie.exe"	movie.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\movie.exe	autoit_exe
\Users\Admin\AppData\Roaming\movie.exe	autoit_exe
\Users\Admin\AppData\Roaming\movie.exe	autoit_exe
\Users\Admin\AppData\Roaming\movie.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\movie.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\movie.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

movie.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\movie.exe:Zone.Identifier:$DATA movie.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

340 PING.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\movie.exe:Zone.Identifier:$DATA	movie.exe

pid	process
340	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

movie.exe

pid	process
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe
1292	movie.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 1292	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	movie.exe
PID 2040 wrote to memory of 1292	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	movie.exe
PID 2040 wrote to memory of 1292	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	movie.exe
PID 2040 wrote to memory of 1292	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	movie.exe
PID 2040 wrote to memory of 1496	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	cmd.exe
PID 2040 wrote to memory of 1496	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	cmd.exe
PID 2040 wrote to memory of 1496	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	cmd.exe
PID 2040 wrote to memory of 1496	2040	1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe	cmd.exe
PID 1496 wrote to memory of 340	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 340	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 340	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 340	1496	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe
"C:\Users\Admin\AppData\Local\Temp\1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\movie.exe
"C:\Users\Admin\AppData\Roaming\movie.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
3⤵
- Runs ping.exe
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scratch.bat

Filesize
317B

MD5
290e6421f725ebe199c949e3760586f7

SHA1
2dc22f43ebd7d35b41198b8553d03645bc4f5c94

SHA256
5aeb23fa1135cd110438674f3c666436a2e9055e4b3d2b23bbf7ed7acf5c2408

SHA512
28431a28ce0f16a8135ecec8bcaa51951c605516b389aa5eddd8237c20b79faf40fc388ddbf7083f076ea758616ce41177ea1ba86a5969a8c9e32e40b699b455

Download Submit
C:\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
C:\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
\Users\Admin\AppData\Roaming\movie.exe

Filesize
1.1MB

MD5
02daff1e68eb29b7f4bbf6cf8254478a

SHA1
5a61f408b0e6a04f30735f7aa62f023781d6a6aa

SHA256
1239b8f51a235237132abf7dd82dc13284b56913debed7140e2cb4f80cd75aee

SHA512
87c61689accd3e114d99755a55cbac2755ca820ec775626edfb164bebfc69ef07e21fe44268696bece6f612e7c30ffc411f2d620dfcc95b2e82e61a1556d5cbb

Download Submit
memory/340-65-0x0000000000000000-mapping.dmp

Download
memory/1292-59-0x0000000000000000-mapping.dmp

Download
memory/1496-62-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads