292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306

General

Target

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
Size

186KB
MD5

e37df4d6ab79c1d785e4883cb2e16788
SHA1

009cbcab2c799d9d08a391861d7747bf2625da8a
SHA256

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306
SHA512

a9eead45002a2e6643534887e2fe9ff117cb0f0f498ac8d7b0e4e4a7c524ace52bbef65c3cd700a98197279cae34924ee3bf9bd279e2882f42ab0b1c029a66c0
SSDEEP

3072:ON+fbmcn+DPc4x4wSzHQBSrhnGZq9WodVsSCPy2Ddwln5IR:c+fbV+ZxLSzzJGZ0sSyy5I

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\15549 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszcxftv.scr"	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description	pid	process	target process
PID 916 set thread context of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\mszcxftv.scr svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\AppLaunch.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\mszcxftv.scr	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\AppLaunch.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

AppLaunch.exe292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

pid	process
340	AppLaunch.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exe

pid process

340 AppLaunch.exe
340 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description pid process

Token: SeDebugPrivilege 916 292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description	pid	process
Token: SeDebugPrivilege	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exeAppLaunch.exe

description	pid	process	target process
PID 916 wrote to memory of 1508	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1508	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1508	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1508	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1612	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1612	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1612	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 1612	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 916 wrote to memory of 340	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 340 wrote to memory of 960	340	AppLaunch.exe	svchost.exe
PID 916 wrote to memory of 1972	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1972	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1972	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1972	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1164	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1164	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1164	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1164	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1212	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1212	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1212	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1212	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 276	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 276	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 276	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 276	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1648	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1648	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1648	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1648	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1768	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1768	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1768	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 916 wrote to memory of 1768	916	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
"C:\Users\Admin\AppData\Local\Temp\292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1508

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\syswow64\svchost.exe
C:\Windows\syswow64\svchost.exe
3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:960

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1972

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1164

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1212

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:276

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1648

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-63-0x000000000040141C-mapping.dmp

Download
memory/340-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/340-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/340-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/916-55-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/916-56-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/916-69-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/960-65-0x0000000000000000-mapping.dmp

Download
memory/960-67-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/960-68-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/960-70-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/1508-57-0x0000000000000000-mapping.dmp

Download
memory/1612-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads