ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22

General

Target

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Size

1.5MB
MD5

7bf60d7133f63980ca25123e966ad03c
SHA1

522e92c4e2062908cb82251f72b0c2b4c7822fe3
SHA256

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22
SHA512

9f9c92c558a22cc65a8059d234daf71d888ea139b483ca89869b91e332ac25662056988d7d0adc094abaf0f63f59df5aa3fae86cda367a38e6d51d712d26c3dc
SSDEEP

24576:nKhE6f89W7LvNv3r3j+rAmYhmwkyOqROEaqqCko/g5f1jcclqKtMRy:n2E6f2ojNOrAmYhMyOnqqpo/yfJcAqjI

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exeddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\TiraniumCleaner = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TiraniumStartRun.exe"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiraniumCleaner = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TiraniumStartRun.exe"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\TiraniumCleaner = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TiraniumStartRun.exe"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiraniumCleaner = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TiraniumStartRun.exe"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exeddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

pid	process
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exeddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

description	pid	process
Token: SeDebugPrivilege	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Token: 33	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Token: SeIncBasePriorityPrivilege	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Token: SeDebugPrivilege	1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Token: 33	1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
Token: SeIncBasePriorityPrivilege	1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

pid	process
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

pid	process
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
1948	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

description	pid	process	target process
PID 836 wrote to memory of 1948	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
PID 836 wrote to memory of 1948	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
PID 836 wrote to memory of 1948	836	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe	ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe

C:\Users\Admin\AppData\Local\Temp\ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
"C:\Users\Admin\AppData\Local\Temp\ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe
C:\Users\Admin\AppData\Local\Temp\ddb9aaecf3dfdf00cf67b5b445bfd4fda39961d50427b1e242a6d74dcf828c22.exe /yeni_restart
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SecrFoldPath.td
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ba3dqx1x-4214-q696-4361-31dfc3rtm}\prcs.dll
Filesize
22B

MD5
7de4486adaa779b694dcf6b20bc8c3a8

SHA1
cc5f830ec5a7d78830d932eaf5269997c21e1721

SHA256
a855229420c14fcad989574745e525d051de88ae74475f53845c61a1ddb21974

SHA512
c095bb2247b7ab60538cdbb4f02545dfc0f0094f90dab9e177ae47736423cbb2dc818ee4d78e4d72ab0c0e10faa30b50e1de752ead656675e130dda8ace08851

Download Submit
memory/836-54-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download
memory/836-55-0x000000001ACD0000-0x000000001AE56000-memory.dmp

Filesize
1.5MB

Download
memory/836-56-0x000000001B6C0000-0x000000001B834000-memory.dmp

Filesize
1.5MB

Download
memory/836-57-0x000000001B970000-0x000000001BB92000-memory.dmp

Filesize
2.1MB

Download
memory/836-58-0x000000001BB90000-0x000000001BD5A000-memory.dmp

Filesize
1.8MB

Download
memory/836-59-0x000000001B037000-0x000000001B056000-memory.dmp

Filesize
124KB

Download
memory/836-60-0x000000001B037000-0x000000001B056000-memory.dmp

Filesize
124KB

Download
memory/836-62-0x000000001B037000-0x000000001B056000-memory.dmp

Filesize
124KB

Download
memory/1948-61-0x0000000000000000-mapping.dmp

Download
memory/1948-63-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads