0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b

General

Target

0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Size

542KB
MD5

71cdb19d4759e7e0a29701c6b4049eab
SHA1

f68856c3daf7456f9d9de83c41f1d7cbed7bfb88
SHA256

0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b
SHA512

782c5ea2063c3554b09d7a5649100cbe508b57a8012bb8e74b2bcf8d59c1ad372414303c1e5fbb13a6749e0154099adf5b992c9f36a24bba7e0a41c3d83a2bcf
SSDEEP

12288:Qmcfuqg3FMvRQ0u9AxObQWES0uRLOQ2NYgTM9kHqHxRK7ldV/G:iSMvqAQbQWWQSnjaWln

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7763.tmpExplorer.EXE

pid process

1760 7763.tmp
1372 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe

pid process

1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe

pid	process
1760	7763.tmp
1372	Explorer.EXE

pid	process
1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe

pid process

1648 0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

1484 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7763.tmp

description pid process

Token: SeDebugPrivilege 1760 7763.tmp
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe

pid	process
1484	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1760	7763.tmp

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.execmd.exe7763.tmp

description	pid	process	target process
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1648 wrote to memory of 1484	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	cmd.exe
PID 1484 wrote to memory of 864	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 864	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 864	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 864	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 624	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 624	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 624	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 624	1484	cmd.exe	reg.exe
PID 1648 wrote to memory of 1760	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	7763.tmp
PID 1648 wrote to memory of 1760	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	7763.tmp
PID 1648 wrote to memory of 1760	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	7763.tmp
PID 1648 wrote to memory of 1760	1648	0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe	7763.tmp
PID 1760 wrote to memory of 1372	1760	7763.tmp	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372

C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe
"C:\Users\Admin\AppData\Local\Temp\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
4⤵
- Adds Run key to start application
PID:864

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v AdobeUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\0592e30015e190cbf4e1a3c5b970ddf2340b4ac92541364127c38b70055e226b.exe\" /s /n /i:U shell32.dll"
4⤵
- Adds Run key to start application
PID:624

C:\Users\Admin\AppData\Local\Temp\7763.tmp
"C:\Users\Admin\AppData\Local\Temp\7763.tmp" 1372 "C:\Users\Admin\AppData\Roaming\Microsoft\mnplays.dll"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7763.tmp
Filesize
40KB

MD5
f653b520294fb0a739d38c0e85b2aae2

SHA1
a29ef1f7b39736ee7afd3c7f3a66526c070ea12e

SHA256
66f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f

SHA512
9a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat
Filesize
697B

MD5
80eed3f72464a050a3ce772013c136cc

SHA1
ed1a534fd5e6428e1b26f4ae6e04594c79cff93d

SHA256
997fcefd41f125dd389dc9dee0843141e759ae5f733c2d6edb25f9f4faebff06

SHA512
34bf9db75770892e05e4c5d6f096da5f6930939b3e9dc1215506c3581c0cb6b57da2fca8b729396eef3befa1ec22124e832095436e16cf30644c2d289a7e06d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\mnplays.dll
Filesize
317KB

MD5
804a3c86c538352064eefca3429a1381

SHA1
7ddf2774b89e73bd9e45fd4e00e3691d94a43571

SHA256
e4769ba677e6b93eadf449587a2914649f5125cc258571de1f6941a12b9ae5dc

SHA512
54d4e266cd5f680b55589aaa2fbc16196e65dda6612e0ec4fbdc3c55ad0a27634d49471bba49bc6b108b4440c7fd6da284774f934bde97a8f98edc75ed8b029d

Download Submit
\Users\Admin\AppData\Local\Temp\7763.tmp
Filesize
40KB

MD5
f653b520294fb0a739d38c0e85b2aae2

SHA1
a29ef1f7b39736ee7afd3c7f3a66526c070ea12e

SHA256
66f518ccecb8e07867e7f0df5c27acaa7ab0f1b7df4f320d441fbe9247eeb27f

SHA512
9a47594d42ea63e1dc2395e021b34fb36f73aff2441c92afa8f034e1d7bf6336a2ddfc6ef4308ebece656868174f2e31394570977ebdc9b3c0ee468c9971fad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\mnplays.dll
Filesize
317KB

MD5
804a3c86c538352064eefca3429a1381

SHA1
7ddf2774b89e73bd9e45fd4e00e3691d94a43571

SHA256
e4769ba677e6b93eadf449587a2914649f5125cc258571de1f6941a12b9ae5dc

SHA512
54d4e266cd5f680b55589aaa2fbc16196e65dda6612e0ec4fbdc3c55ad0a27634d49471bba49bc6b108b4440c7fd6da284774f934bde97a8f98edc75ed8b029d

Download Submit
memory/624-58-0x0000000000000000-mapping.dmp

Download
memory/864-57-0x0000000000000000-mapping.dmp

Download
memory/1484-55-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing