28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450

General

Target

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
Size

454KB
MD5

cb971ae92b1d158627d7419bba78071c
SHA1

2d9c21fad119114a5be5208aa57ba1ad9dd9fa80
SHA256

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450
SHA512

67a7cc270d88a53af5df8748c37918f75b2e513e45b732f183d786bd11250bd83834ed263870792843b2ab45a99dc87bae1b4e2087dbe8c43e34510d852b1b7c
SSDEEP

12288:iAQDua42iKNEPnJHmCUVfgHIwG4RCyR7ILlC:GLiQEPJHjUhgoQCG7ILE

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8324D541-F8XV-DDJW-JU8V-01HO4G21E1GW}	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8324D541-F8XV-DDJW-JU8V-01HO4G21E1GW}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe\""	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe"	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

description	pid	process	target process
PID 520 set thread context of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1672 AcroRd32.exe
1672 AcroRd32.exe
1672 AcroRd32.exe
1672 AcroRd32.exe

pid	process
1672	AcroRd32.exe
1672	AcroRd32.exe
1672	AcroRd32.exe
1672	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

description	pid	process	target process
PID 520 wrote to memory of 1672	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	AcroRd32.exe
PID 520 wrote to memory of 1672	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	AcroRd32.exe
PID 520 wrote to memory of 1672	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	AcroRd32.exe
PID 520 wrote to memory of 1672	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	AcroRd32.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
PID 520 wrote to memory of 668	520	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe	28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe

C:\Users\Admin\AppData\Local\Temp\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
"C:\Users\Admin\AppData\Local\Temp\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GJILI.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Users\Admin\AppData\Local\Temp\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe
"C:\Users\Admin\AppData\Local\Temp\28a5d4b6f337819a379d623de0468bc51c6423b830ef6d923f1752ce209b2450.exe"
2⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GJILI.pdf
Filesize
115KB

MD5
c0444afde80acf8d3172c92d9c8d4e3d

SHA1
ba920fc8a5be4f18942480a1658c84c8a64c80ae

SHA256
6bef10847f8d08ccf0f89aec3414acaa843366b3b2d909131b27a19e53847126

SHA512
53578e7bbfe83ebe7f89090d872e0c53a3c0098eb238db5d34be5fbd45c62c8fdd25bca8f11ac0ccd604d9b3d612f3c64cc140a5d1edfaa2f856959ba063ab13

Download Submit
memory/520-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/668-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-65-0x0000000000401FEC-mapping.dmp

Download
memory/668-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/668-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1672-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads