81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

General

Target

81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe
Size

299KB
MD5

92170476df42a42bcb8757428c29e12b
SHA1

55cf5da615168ffc05a10b22451470238d77da75
SHA256

81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40
SHA512

98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e
SSDEEP

6144:i39X9aX84E+Uguvgf4PGs6518/H4bkF5ZxXzQI03rYQs3INDRV:Igs9rgeG4N6SFFDQT7YfINDRV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xmmslvcvjh.exe

pid process

1488 xmmslvcvjh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1520 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exexmmslvcvjh.exe

pid process

1520 cmd.exe
1520 cmd.exe
1488 xmmslvcvjh.exe

pid	process
1520	cmd.exe

pid	process
1520	cmd.exe
1520	cmd.exe
1488	xmmslvcvjh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

668 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1484 PING.EXE

pid	process
668	taskkill.exe

pid	process
1484	PING.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

xmmslvcvjh.exe

pid	process
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe
1488	xmmslvcvjh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 668 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

xmmslvcvjh.exe

pid process

1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

xmmslvcvjh.exe

pid process

1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe
1488 xmmslvcvjh.exe

description	pid	process
Token: SeDebugPrivilege	668	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 1520	1752	81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe	cmd.exe
PID 1752 wrote to memory of 1520	1752	81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe	cmd.exe
PID 1752 wrote to memory of 1520	1752	81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe	cmd.exe
PID 1752 wrote to memory of 1520	1752	81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe	cmd.exe
PID 1520 wrote to memory of 668	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 668	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 668	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 668	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1484	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1484	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1484	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1484	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1488	1520	cmd.exe	xmmslvcvjh.exe
PID 1520 wrote to memory of 1488	1520	cmd.exe	xmmslvcvjh.exe
PID 1520 wrote to memory of 1488	1520	cmd.exe	xmmslvcvjh.exe
PID 1520 wrote to memory of 1488	1520	cmd.exe	xmmslvcvjh.exe

C:\Users\Admin\AppData\Local\Temp\81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe
"C:\Users\Admin\AppData\Local\Temp\81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1752 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40.exe" & start C:\Users\Admin\AppData\Local\XMMSLV~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1752
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:1484

C:\Users\Admin\AppData\Local\xmmslvcvjh.exe
C:\Users\Admin\AppData\Local\XMMSLV~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1488

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\xmmslvcvjh.exe
Filesize
299KB

MD5
92170476df42a42bcb8757428c29e12b

SHA1
55cf5da615168ffc05a10b22451470238d77da75

SHA256
81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

SHA512
98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e

Download Submit
C:\Users\Admin\AppData\Local\xmmslvcvjh.exe
Filesize
299KB

MD5
92170476df42a42bcb8757428c29e12b

SHA1
55cf5da615168ffc05a10b22451470238d77da75

SHA256
81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

SHA512
98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e

Download Submit
\Users\Admin\AppData\Local\xmmslvcvjh.exe
Filesize
299KB

MD5
92170476df42a42bcb8757428c29e12b

SHA1
55cf5da615168ffc05a10b22451470238d77da75

SHA256
81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

SHA512
98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e

Download Submit
\Users\Admin\AppData\Local\xmmslvcvjh.exe
Filesize
299KB

MD5
92170476df42a42bcb8757428c29e12b

SHA1
55cf5da615168ffc05a10b22451470238d77da75

SHA256
81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

SHA512
98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e

Download Submit
\Users\Admin\AppData\Local\xmmslvcvjh.exe
Filesize
299KB

MD5
92170476df42a42bcb8757428c29e12b

SHA1
55cf5da615168ffc05a10b22451470238d77da75

SHA256
81cd9e331e7cfc13b2efef3d46fa241afd5770994d86bc30dbe029b3fc194c40

SHA512
98358202511c926784580fea90c49470c71511a2b4e7e27c67cb7046a3aa97f0f4de4f977500b38b81d4fe22437285cdeb5ce4cdacc01657450ae719558fa71e

Download Submit
memory/668-58-0x0000000000000000-mapping.dmp

Download
memory/1484-59-0x0000000000000000-mapping.dmp

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/1488-68-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1488-69-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1520-56-0x0000000000000000-mapping.dmp

Download
memory/1752-57-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1752-55-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads