6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

General

Target

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Size

566KB
MD5

7cd871c5dae7dfee205ac811f0d461d7
SHA1

9d564accbfefafeda236574750a4dcb481e187fa
SHA256

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80
SHA512

f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4
SSDEEP

6144:12Or9Pk3/JxlpKI0ByUPiV8+AsGHDY+5l+anN40ty2or87P9U3ERvYb:5JEJP0TB76uJDf5lTnqe7q3sY

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

System32.exe

pid process

1376 System32.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1268 netsh.exe

pid	process
1376	System32.exe

pid	process
1268	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71a16e0d6a04e0ba117f99d08d98d3fc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exe

description	pid	process
Token: SeDebugPrivilege	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: 33	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: SeIncBasePriorityPrivilege	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
Token: SeDebugPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe
Token: 33	1376	System32.exe
Token: SeIncBasePriorityPrivilege	1376	System32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exeSystem32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1376	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe	System32.exe
PID 1680 wrote to memory of 1376	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe	System32.exe
PID 1680 wrote to memory of 1376	1680	6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe	System32.exe
PID 1376 wrote to memory of 1268	1376	System32.exe	netsh.exe
PID 1376 wrote to memory of 1268	1376	System32.exe	netsh.exe
PID 1376 wrote to memory of 1268	1376	System32.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe
"C:\Users\Admin\AppData\Local\Temp\6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
566KB

MD5
7cd871c5dae7dfee205ac811f0d461d7

SHA1
9d564accbfefafeda236574750a4dcb481e187fa

SHA256
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

SHA512
f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
566KB

MD5
7cd871c5dae7dfee205ac811f0d461d7

SHA1
9d564accbfefafeda236574750a4dcb481e187fa

SHA256
6d5be80d083506c5e745dc043efc9f900c2a6bb22faa3ab64ca66e0f17e04b80

SHA512
f3834257535c252aac281ff8633c30dd599d1718ff85b1019e4eeabf59634680f75bd077af9f5c4092c1a70e5c5ffc9bc2d9762798212f4ac385bf62327218e4

Download Submit
memory/1268-66-0x0000000000000000-mapping.dmp

Download
memory/1376-63-0x000007FEF2980000-0x000007FEF3A16000-memory.dmp

Filesize
16.6MB

Download
memory/1376-59-0x0000000000000000-mapping.dmp

Download
memory/1376-62-0x000007FEF3A20000-0x000007FEF4443000-memory.dmp

Filesize
10.1MB

Download
memory/1376-64-0x0000000000C18000-0x0000000000C37000-memory.dmp

Filesize
124KB

Download
memory/1680-58-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1680-57-0x0000000000C48000-0x0000000000C67000-memory.dmp

Filesize
124KB

Download
memory/1680-56-0x000007FEF2980000-0x000007FEF3A16000-memory.dmp

Filesize
16.6MB

Download
memory/1680-55-0x0000000000C48000-0x0000000000C67000-memory.dmp

Filesize
124KB

Download
memory/1680-65-0x0000000000C48000-0x0000000000C67000-memory.dmp

Filesize
124KB

Download
memory/1680-54-0x000007FEF3A20000-0x000007FEF4443000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads