0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666

General

Target

0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe
Size

191KB
MD5

6f204ac7e40d82963c7c1a1449acfea2
SHA1

36ab86149523ecd1dd6210285de9777c24ab3708
SHA256

0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666
SHA512

efacc891f4af15024af7127dc60b2907468bfc0cec6fbbf14505bb908bb987031c475e1d61447b451035650229b4172ebf3489f6bd786c7512b073e2dd10c14d
SSDEEP

3072:jiDZW9tCFUkd8nS5JTEc5f/xk9T+bcngp2h7XRNKhBlw/3f/gbAi3:jiI9thk2S5P5f/xk9T+wngcVeBIH8Ai

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
760	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1764	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe

Loads dropped DLL 2 IoCs

pid	Process
1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe
1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe
760	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	Trojan.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 760	1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe	26
PID 1504 wrote to memory of 760	1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe	26
PID 1504 wrote to memory of 760	1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe	26
PID 1504 wrote to memory of 760	1504	0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe	26
PID 760 wrote to memory of 1764	760	Trojan.exe	27
PID 760 wrote to memory of 1764	760	Trojan.exe	27
PID 760 wrote to memory of 1764	760	Trojan.exe	27
PID 760 wrote to memory of 1764	760	Trojan.exe	27

C:\Users\Admin\AppData\Local\Temp\0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe
"C:\Users\Admin\AppData\Local\Temp\0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
191KB

MD5
6f204ac7e40d82963c7c1a1449acfea2

SHA1
36ab86149523ecd1dd6210285de9777c24ab3708

SHA256
0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666

SHA512
efacc891f4af15024af7127dc60b2907468bfc0cec6fbbf14505bb908bb987031c475e1d61447b451035650229b4172ebf3489f6bd786c7512b073e2dd10c14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
191KB

MD5
6f204ac7e40d82963c7c1a1449acfea2

SHA1
36ab86149523ecd1dd6210285de9777c24ab3708

SHA256
0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666

SHA512
efacc891f4af15024af7127dc60b2907468bfc0cec6fbbf14505bb908bb987031c475e1d61447b451035650229b4172ebf3489f6bd786c7512b073e2dd10c14d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
1KB

MD5
4137d39ed1f415808b0e0faf7d26d150

SHA1
9598afb7583206e74b2c0b46a16ca20718c9d144

SHA256
f55c5ce13a99c0813e41879a92aa05c0e2e954c171fa3617fd33ef6372afd9e8

SHA512
e389782dd6577d32bcea7c96c5db9e3eddfb98980e52f7831ed5a9089e61b196146af65eafbcce1a578861f2e6f57001a36c5ddfcc082f6a3fc47953e9254733

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
191KB

MD5
6f204ac7e40d82963c7c1a1449acfea2

SHA1
36ab86149523ecd1dd6210285de9777c24ab3708

SHA256
0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666

SHA512
efacc891f4af15024af7127dc60b2907468bfc0cec6fbbf14505bb908bb987031c475e1d61447b451035650229b4172ebf3489f6bd786c7512b073e2dd10c14d

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
191KB

MD5
6f204ac7e40d82963c7c1a1449acfea2

SHA1
36ab86149523ecd1dd6210285de9777c24ab3708

SHA256
0ffc29f7463d4f00957d483a4a2d1841bddad5da3d1f243c5958ef5630928666

SHA512
efacc891f4af15024af7127dc60b2907468bfc0cec6fbbf14505bb908bb987031c475e1d61447b451035650229b4172ebf3489f6bd786c7512b073e2dd10c14d

Download Submit
memory/760-63-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download
memory/760-67-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-65-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing