6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d

General

Target

6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
Size

1.4MB
MD5

b191192009e1bfdac9a820b17b31736b
SHA1

e63c8881ebb69563b5ea94f2361c13ec4a3d097c
SHA256

6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d
SHA512

86b30df9ce1ebff56e893db72a1a4416f0a9da89388ac358c213d25d4dbac964f806b8e3510a75d11fad78eea2b2a25f57c706409586cd22d68d76e1459cfcad
SSDEEP

24576:7JH1l0B/1L6z3GidfogIivTYEYfJ0DtoYz33w9gW+8vlz/zZkz5PzTxLXTYDFdlG:rCr+r1ZIivTYbmB33CNP/zwPzdQRdKpZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4904	score.exe
1644	score.exe

Loads dropped DLL 4 IoCs

pid	Process
2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\score.exe	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
File opened for modification	C:\Windows\score.exe	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\scores	score.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\scores\9999 = "7EFAFDD6F2F77DDD319DE17D552A90CBE47A0DCD9FF2868D420C76953D346D71040445A47BCF"	score.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\scores\0001 = "378B8AA098FF0FC640858B0957478FCE8A7F09"	score.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\scores\0002	score.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4904	score.exe
1644	score.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4904	2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe	80
PID 2448 wrote to memory of 4904	2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe	80
PID 2448 wrote to memory of 4904	2448	6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe	80

C:\Users\Admin\AppData\Local\Temp\6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe
"C:\Users\Admin\AppData\Local\Temp\6678bb1cd6340ebdd5e35699213b2b4a8708878a40189133d3c65d1ab4f4d99d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\score.exe
  C:\Windows\score.exe /install /silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4904

C:\Windows\score.exe
C:\Windows\score.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseF8FD.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF8FD.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF8FD.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF8FD.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Windows\score.exe

Filesize
4.6MB

MD5
aeca5800d7bd504f5f3c909c69603668

SHA1
4a92ab00c58b2f3b722d83a2c9d39c7ebb84a01a

SHA256
1e87d788c1ccb16bc5793d089a31ce3aa0dd0df16d2f60a821c832d7aca3db35

SHA512
b707e9341ee6277794a5701f899aeb11bbb9ed6d9d738b2dd0f5e595db156eeef378a741f49a13c9c4015f755a2bda62fc642a92ce52ada24d70d7a5a536d363

Download Submit
C:\Windows\score.exe

Filesize
4.6MB

MD5
aeca5800d7bd504f5f3c909c69603668

SHA1
4a92ab00c58b2f3b722d83a2c9d39c7ebb84a01a

SHA256
1e87d788c1ccb16bc5793d089a31ce3aa0dd0df16d2f60a821c832d7aca3db35

SHA512
b707e9341ee6277794a5701f899aeb11bbb9ed6d9d738b2dd0f5e595db156eeef378a741f49a13c9c4015f755a2bda62fc642a92ce52ada24d70d7a5a536d363

Download Submit
C:\Windows\score.exe

Filesize
4.6MB

MD5
aeca5800d7bd504f5f3c909c69603668

SHA1
4a92ab00c58b2f3b722d83a2c9d39c7ebb84a01a

SHA256
1e87d788c1ccb16bc5793d089a31ce3aa0dd0df16d2f60a821c832d7aca3db35

SHA512
b707e9341ee6277794a5701f899aeb11bbb9ed6d9d738b2dd0f5e595db156eeef378a741f49a13c9c4015f755a2bda62fc642a92ce52ada24d70d7a5a536d363

Download Submit
memory/1644-143-0x00000000009C0000-0x00000000009E6000-memory.dmp

Filesize
152KB

Download
memory/1644-145-0x0000000001EB0000-0x0000000001ECE000-memory.dmp

Filesize
120KB

Download
memory/1644-144-0x0000000001E60000-0x0000000001EA7000-memory.dmp

Filesize
284KB

Download
memory/1644-142-0x0000000000D90000-0x0000000000DAF000-memory.dmp

Filesize
124KB

Download
memory/2448-140-0x0000000003030000-0x0000000003043000-memory.dmp

Filesize
76KB

Download
memory/2448-134-0x0000000006A30000-0x0000000006A43000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing