87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

General

Target

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Size

329KB
MD5

288a4b7588e9a76eb5c5ebfeda862246
SHA1

978f19856a3498c4bf47a39698d90c3e4d2baa4c
SHA256

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7
SHA512

86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94
SSDEEP

6144:3xTM7GKkAvRgt5fD2ywM9r6o/AT59zMXd:NBYyfD2A9mS859YXd

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1780 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1556 netsh.exe

pid	process
1780	server.exe

pid	process
1556	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87173d0078b7305a3dec8884347c9601 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: 33	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: SeIncBasePriorityPrivilege	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
Token: SeDebugPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe
Token: 33	1780	server.exe
Token: SeIncBasePriorityPrivilege	1780	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exeserver.exe

description	pid	process	target process
PID 1380 wrote to memory of 1780	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe	server.exe
PID 1380 wrote to memory of 1780	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe	server.exe
PID 1380 wrote to memory of 1780	1380	87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe	server.exe
PID 1780 wrote to memory of 1556	1780	server.exe	netsh.exe
PID 1780 wrote to memory of 1556	1780	server.exe	netsh.exe
PID 1780 wrote to memory of 1556	1780	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe
"C:\Users\Admin\AppData\Local\Temp\87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
329KB

MD5
288a4b7588e9a76eb5c5ebfeda862246

SHA1
978f19856a3498c4bf47a39698d90c3e4d2baa4c

SHA256
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

SHA512
86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
329KB

MD5
288a4b7588e9a76eb5c5ebfeda862246

SHA1
978f19856a3498c4bf47a39698d90c3e4d2baa4c

SHA256
87d5c774d22c8dfadb5268e50c2ece41216513685b0561422cade08acb7cd8f7

SHA512
86b626f2f1d7f0b68d25d1a91f6f1569630f0c7d354b5fef32640224bdc6a50ee0049c2c1fad7aed9a5d1638d346bc9e5853b22c8d6fc78cc40afe9b9588fe94

Download Submit
memory/1380-54-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/1380-55-0x000007FEF41C0000-0x000007FEF4680000-memory.dmp

Filesize
4.8MB

Download
memory/1380-56-0x000007FEF3120000-0x000007FEF41B6000-memory.dmp

Filesize
16.6MB

Download
memory/1380-57-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1556-64-0x0000000000000000-mapping.dmp

Download
memory/1780-58-0x0000000000000000-mapping.dmp

Download
memory/1780-61-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1780-62-0x000007FEF4BF0000-0x000007FEF50B0000-memory.dmp

Filesize
4.8MB

Download
memory/1780-63-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads