56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46

General

Target

56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe
Size

274KB
MD5

a661a3874e7141a5f6f9cc0981752449
SHA1

a006173c9fe9d474355adbaaff6b8e7fecf2c760
SHA256

56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46
SHA512

aa9ae040907572d724c3cb619ae572cf23a563fae5d1a915bf69f9a28be4d4c845382c86a13a170c9b02689f8feacfccb17eded441d2d0591b25b7e98c4e3db9
SSDEEP

6144:fsehzRF9nUUwmUWQig8Zi9OFtKQm5Z3xQSKApTohKpDe:frpnUUU5cJYB5xfKApToE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SO.Exe

pid process

912 SO.Exe

pid	process
912	SO.Exe

Loads dropped DLL 4 IoCs

Processes:

56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exeSO.Exe

pid	process
1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe
1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe
912	SO.Exe
912	SO.Exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SO.Exe

pid process

912 SO.Exe

pid	process
912	SO.Exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe

description	pid	process	target process
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe
PID 1768 wrote to memory of 912	1768	56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe	SO.Exe

C:\Users\Admin\AppData\Local\Temp\56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe
"C:\Users\Admin\AppData\Local\Temp\56d0469b1e35970f215d30e87ae647f5d9a9fb6ed668082f3893a19f28033d46.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SO.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
\Users\Admin\AppData\Roaming\WinAutoUpdate.Exe
Filesize
428KB

MD5
cc0b30b8c0b40b45f9724459c3287951

SHA1
e790e2d15d2d4566d10cf6c2774287b6c53b0eac

SHA256
3bf814bcef226f9f3b4f9ca353954fc424d6b9c633ac292645deb86dd1f230dd

SHA512
8a34a84c3fa4382076c6f73b3b5affb336acaf73e3e7d939ad35f8e03e0bff5d6e9fbe50d93315d9b2cdb7a16fb6690d83cef9fc38545f0e2be314ba741f59e2

Download Submit
memory/912-57-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads