f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136

General

Target

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Size

568KB
MD5

0eaee80c6c081e6bd04d5126467f007c
SHA1

cffb2257aab9868c7b2d71462d4cdc3ae1e55a97
SHA256

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136
SHA512

6333efcceb377cdf557d3b4f9c5a8ec5430052f95a633786dde941f525b04750f61f511bf7c3f64ca88526b87ef68d9447e9eb9783b9956b5fe13b0f87b10bd5
SSDEEP

12288:xiQobmPYDqHinL62tFl1GwH5Gf2RwugAbYqBgROjqNOTOXZ1CHL8ifYw2td7kK:xbVYOinLnN1HGf2Jb3gRhjMxYwIIK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

B444.tmpExplorer.EXE

pid process

1488 B444.tmp
1216 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

pid process

1240 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.107.56.195

pid	process
1488	B444.tmp
1216	Explorer.EXE

pid	process
1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

description	ioc
Destination IP	185.107.56.195

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

pid process

1240 f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

1644 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

B444.tmp

description pid process

Token: SeDebugPrivilege 1488 B444.tmp

pid	process
1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

pid	process
1644	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1488	B444.tmp

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.execmd.exeB444.tmp

description	pid	process	target process
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1240 wrote to memory of 1644	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 1644 wrote to memory of 1608	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1608	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1608	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1608	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1636	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1636	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1636	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1636	1644	cmd.exe	reg.exe
PID 1240 wrote to memory of 1488	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	B444.tmp
PID 1240 wrote to memory of 1488	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	B444.tmp
PID 1240 wrote to memory of 1488	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	B444.tmp
PID 1240 wrote to memory of 1488	1240	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	B444.tmp
PID 1488 wrote to memory of 1216	1488	B444.tmp	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1216

C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
"C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
4⤵
- Adds Run key to start application
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v RunUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll"
4⤵
- Adds Run key to start application
PID:1636

C:\Users\Admin\AppData\Local\Temp\B444.tmp
"C:\Users\Admin\AppData\Local\Temp\B444.tmp" 1216 "C:\Users\Admin\AppData\Roaming\Microsoft\nnutil32.dll"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B444.tmp
Filesize
40KB

MD5
bd8006863eec2250b2727c714f0edfa7

SHA1
f689dcf31b552da3007a76908a37077396cdcac2

SHA256
bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668

SHA512
e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat
Filesize
710B

MD5
3f377ebb87b762d0695633a650fb5372

SHA1
2f17d72d5bc864674fecd4d9432090c5b8661df5

SHA256
2ab976fb689e6ea1a7f44134894d5c8c7148cf81a32bb470939f1a7391c88f92

SHA512
f30f2257faf65f61b419d6cd97bc603301db973b002c4fdf07920576418d91a456cf2071f5cdfcf9b60ece7dea95285c3af9d04855a142a66193c3e853e5c065

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nnutil32.dll
Filesize
334KB

MD5
64a2f934fef2bf41b1743de8e0629c82

SHA1
f1d6f9c119d7b3c10fc0cb2cb73ace75a7f5df94

SHA256
23d8699cb855a99775624de9898790a2c70144dd1bd214d48a9bb69896cc0d06

SHA512
c9302b6bc6ed9bd8930a9e6fa708489ec36f9f20037d84287123f30aa46817e0a4f6609300ab55eb2d06de9f7c2d16ebe38ee065c959e0c387135944466a1d97

Download Submit
\Users\Admin\AppData\Local\Temp\B444.tmp
Filesize
40KB

MD5
bd8006863eec2250b2727c714f0edfa7

SHA1
f689dcf31b552da3007a76908a37077396cdcac2

SHA256
bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668

SHA512
e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\nnutil32.dll
Filesize
334KB

MD5
64a2f934fef2bf41b1743de8e0629c82

SHA1
f1d6f9c119d7b3c10fc0cb2cb73ace75a7f5df94

SHA256
23d8699cb855a99775624de9898790a2c70144dd1bd214d48a9bb69896cc0d06

SHA512
c9302b6bc6ed9bd8930a9e6fa708489ec36f9f20037d84287123f30aa46817e0a4f6609300ab55eb2d06de9f7c2d16ebe38ee065c959e0c387135944466a1d97

Download Submit
memory/1240-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1488-60-0x0000000000000000-mapping.dmp

Download
memory/1608-57-0x0000000000000000-mapping.dmp

Download
memory/1636-58-0x0000000000000000-mapping.dmp

Download
memory/1644-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing