3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

General

Target

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Size

730KB
MD5

b849888deba833c47e824cd25adb39d6
SHA1

be8c12fb9a3fc59bb98113d5e1491c449a702a3a
SHA256

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b
SHA512

f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c
SSDEEP

12288:fH16hjKvCGe81mt5zgKGORvpeTMrq1b0hcZza+bx3yrqupt5Ye4i:/16QvC/tyiRv3Wu0x3y+atWe4i

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome\\svchost.exe"	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

4252 tmp.exe

pid	process
4252	tmp.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\szrsrixxm.exe	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\szrsrixxm.exe\DisableExceptionChainValidation	tmp.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	tmp.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exetmp.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
File created	C:\ProgramData\%temp%\desktop.ini	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

pid	process
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Drops file in Windows directory 3 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
File created	C:\Windows\assembly\Desktop.ini	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	tmp.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4268 schtasks.exe

pid	process
4268	schtasks.exe

Modifies registry class 9 IoCs

Processes:

tmp.exe3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CG1	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CS1	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CW1	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857	tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CG1\HAL = 05ee0000	tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CG1\BID = 2000080019000b00e60700001400000019000f00040020000000000080d98063	tmp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{EE771A9B-BD01-D54A-AD22-241F13B4F2D7}\68C10857\CW1\3696 = 88000000c80700008df10a07d8011100	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

pid	process
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

tmp.exe

pid process

4252 tmp.exe
4252 tmp.exe

pid	process
4252	tmp.exe
4252	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exetmp.exe

description	pid	process
Token: SeDebugPrivilege	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
Token: SeRestorePrivilege	4252	tmp.exe
Token: SeBackupPrivilege	4252	tmp.exe
Token: SeDebugPrivilege	4252	tmp.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.execmd.exewscript.exetmp.exe

description	pid	process	target process
PID 3696 wrote to memory of 2124	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 3696 wrote to memory of 2124	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 3696 wrote to memory of 2124	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	cmd.exe
PID 2124 wrote to memory of 1928	2124	cmd.exe	wscript.exe
PID 2124 wrote to memory of 1928	2124	cmd.exe	wscript.exe
PID 2124 wrote to memory of 1928	2124	cmd.exe	wscript.exe
PID 1928 wrote to memory of 4972	1928	wscript.exe	cmd.exe
PID 1928 wrote to memory of 4972	1928	wscript.exe	cmd.exe
PID 1928 wrote to memory of 4972	1928	wscript.exe	cmd.exe
PID 3696 wrote to memory of 4252	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 3696 wrote to memory of 4252	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 3696 wrote to memory of 4252	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	tmp.exe
PID 3696 wrote to memory of 4936	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 3696 wrote to memory of 4936	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 3696 wrote to memory of 4936	3696	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe	3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
PID 4252 wrote to memory of 4268	4252	tmp.exe	schtasks.exe
PID 4252 wrote to memory of 4268	4252	tmp.exe	schtasks.exe
PID 4252 wrote to memory of 4268	4252	tmp.exe	schtasks.exe
PID 4252 wrote to memory of 1984	4252	tmp.exe	WerFault.exe
PID 4252 wrote to memory of 1984	4252	tmp.exe	WerFault.exe
PID 4252 wrote to memory of 1984	4252	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
"C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Chrome\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Chrome\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat" "
4⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x68C10857" /TR "C:\ProgramData\%temp%\szrsrixxm.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4268

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
C:\Users\Admin\AppData\Local\Temp\3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b.exe
2⤵
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Security Software Discovery

1

T1063

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\mata.bat
Filesize
61B

MD5
ed44f40e1fbefabb7cbecc859a8461ea

SHA1
892dd10211373a9e129bfe7c65b43cebc42aff2b

SHA256
6095898b4b78cea9529eac49129d8299d83cb0e0f309bea7cf73a11ee21df23c

SHA512
26458a2dbf59f0e39c0793389ad829d92e23a4425d3d35654dbbe3626b11812d19e584d3610b94ead43c4b77c9e938870d39042d98964f493bc65a865d65c130

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\mata2.bat
Filesize
66B

MD5
d4dd20ff8e053047f87ea2b5d5e739ad

SHA1
3de8e132c5623ec615046f1ec0716bdbfa3a583d

SHA256
240941f0861a4f3ee3c96f46dd1da5ca8e4d4fcee51a9b8b47406f30e899a63b

SHA512
0dff8482262cce3b7a2000370556bed8bde7096853303bb9108c800bb8f69a696680954bf5aa90549d019230cd01eb63d4a34937472487667b1865900ee5960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\rundll11-.txt
Filesize
730KB

MD5
b849888deba833c47e824cd25adb39d6

SHA1
be8c12fb9a3fc59bb98113d5e1491c449a702a3a

SHA256
3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

SHA512
f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\svchost.exe
Filesize
730KB

MD5
b849888deba833c47e824cd25adb39d6

SHA1
be8c12fb9a3fc59bb98113d5e1491c449a702a3a

SHA256
3f3307a94076116299711a4913ac8a1309fac6b4254832f367258e283cfd260b

SHA512
f9d33e634fe89b286aaeefc3d424ebbcea74e74d328afca9dc99a7eb0f88880c4802eb66fe76e6c9d88db26b79390bfab35ef5d4d903112206a46bb861bfa75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
138KB

MD5
636e7211c0d5632d238fdcf439edd0b4

SHA1
0c4ca590e1ed635e3b700a715d54a1e5a2ecb590

SHA256
bc787c9c4dcc076dac3683aa88186d48282a65a0eb66af98f1e05fc121be4788

SHA512
796a18531e1cea3f589f057e9dce85dba219f2c0ce1f0ec853b18e7adc897900327a618b903ded765ee947dfea6159304fe9060906811fe73192f09fc3647b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
138KB

MD5
636e7211c0d5632d238fdcf439edd0b4

SHA1
0c4ca590e1ed635e3b700a715d54a1e5a2ecb590

SHA256
bc787c9c4dcc076dac3683aa88186d48282a65a0eb66af98f1e05fc121be4788

SHA512
796a18531e1cea3f589f057e9dce85dba219f2c0ce1f0ec853b18e7adc897900327a618b903ded765ee947dfea6159304fe9060906811fe73192f09fc3647b34

Download Submit
memory/1928-135-0x0000000000000000-mapping.dmp

Download
memory/1984-149-0x0000000000540000-0x00000000005BB000-memory.dmp

Filesize
492KB

Download
memory/1984-152-0x0000000000450000-0x00000000004C1000-memory.dmp

Filesize
452KB

Download
memory/1984-150-0x0000000000450000-0x00000000004C1000-memory.dmp

Filesize
452KB

Download
memory/1984-148-0x0000000000000000-mapping.dmp

Download
memory/2124-133-0x0000000000000000-mapping.dmp

Download
memory/3696-154-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-155-0x0000000077BF0000-0x0000000077D93000-memory.dmp

Filesize
1.6MB

Download
memory/3696-132-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3696-151-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-143-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/4252-146-0x0000000002420000-0x000000000242B000-memory.dmp

Filesize
44KB

Download
memory/4252-145-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download
memory/4268-147-0x0000000000000000-mapping.dmp

Download
memory/4936-142-0x0000000000000000-mapping.dmp

Download
memory/4972-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads