ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331

General

Target

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Size

68KB
MD5

dc9bf6257aa8cae47cbcc508e032a181
SHA1

2134837eef4edc6033e46efd2cbcf4747a7f544f
SHA256

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331
SHA512

7984e1ecbc0173b6646cdb29deccbb598063b45a7ce65cd61a6a20b929f22c97ad91dd10d2368aba3059f08e675bd147a146681500654e026dfb81b7193defa4
SSDEEP

768:pcFliTdK61qSAl+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:WFIxB1qSAcqOK3qowgnt1d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

Processes:

Admin.exe

pid process

1704 Admin.exe

pid	process
1704	Admin.exe

Loads dropped DLL 2 IoCs

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe

pid	process
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Admin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exe

pid	process
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704	Admin.exe
1704	Admin.exe
1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exeAdmin.exe

pid process

1672 ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
1704 Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe

description	pid	process	target process
PID 1672 wrote to memory of 1704	1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe	Admin.exe
PID 1672 wrote to memory of 1704	1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe	Admin.exe
PID 1672 wrote to memory of 1704	1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe	Admin.exe
PID 1672 wrote to memory of 1704	1672	ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe	Admin.exe

C:\Users\Admin\AppData\Local\Temp\ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe
"C:\Users\Admin\AppData\Local\Temp\ef140e563684cfdaf9d4d9a36375042fa1ffee3e49abb753380ce38602f22331.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe
Filesize
68KB

MD5
5ae66bebd73930b41a94e46438336a78

SHA1
e099c940a6f0ef22c82f82c6f0543b57a32ea489

SHA256
07ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c

SHA512
6522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba

Download Submit
\Users\Admin\Admin.exe
Filesize
68KB

MD5
5ae66bebd73930b41a94e46438336a78

SHA1
e099c940a6f0ef22c82f82c6f0543b57a32ea489

SHA256
07ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c

SHA512
6522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba

Download Submit
\Users\Admin\Admin.exe
Filesize
68KB

MD5
5ae66bebd73930b41a94e46438336a78

SHA1
e099c940a6f0ef22c82f82c6f0543b57a32ea489

SHA256
07ee0ad75085c171056bd4d6c029d77141d61e28845029ab3c02f056fbaf349c

SHA512
6522ff416ad95be0edb37ae2e385dde7c996788e528484761bc64c333c7884ea18451c0534eec7c9aac7fa1fe488deb6d9b15d49090a3d030d6c9054f1c816ba

Download Submit
memory/1672-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1672-57-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1704-60-0x0000000000000000-mapping.dmp

Download
memory/1704-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads