4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b

General

Target

4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
Size

407KB
MD5

3f6264634cfc717f693ca4087f280abb
SHA1

9815e65a6df52afb3840f58570ec9eccf5f43e3e
SHA256

4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b
SHA512

fe09623b9681b967a781fd604c4fa1f2603fe6bf54be4d1cbbf5c80119cb6cf7d7ab907dae7db5592d939756ccb79e0cafc3cd176822c717a56c8d16340378fb
SSDEEP

6144:npbn2N5umytHm1HwoSZI22bu4jA9qn5JdFYUr1dscT7iFiaFpKdFYUr1d:npbaAmCHm1WID8A5XpGFW

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
Token: 33	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
Token: SeIncBasePriorityPrivilege	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1116	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	28
PID 1448 wrote to memory of 1116	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	28
PID 1448 wrote to memory of 1116	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	28
PID 1448 wrote to memory of 1116	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	28
PID 1448 wrote to memory of 320	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	29
PID 1448 wrote to memory of 320	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	29
PID 1448 wrote to memory of 320	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	29
PID 1448 wrote to memory of 320	1448	4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe	29
PID 1116 wrote to memory of 1156	1116	cmd.exe	30
PID 1116 wrote to memory of 1156	1116	cmd.exe	30
PID 1116 wrote to memory of 1156	1116	cmd.exe	30
PID 1116 wrote to memory of 1156	1116	cmd.exe	30
PID 1156 wrote to memory of 572	1156	wscript.exe	32
PID 1156 wrote to memory of 572	1156	wscript.exe	32
PID 1156 wrote to memory of 572	1156	wscript.exe	32
PID 1156 wrote to memory of 572	1156	wscript.exe	32
PID 572 wrote to memory of 528	572	cmd.exe	33
PID 572 wrote to memory of 528	572	cmd.exe	33
PID 572 wrote to memory of 528	572	cmd.exe	33
PID 572 wrote to memory of 528	572	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe
"C:\Users\Admin\AppData\Local\Temp\4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:528
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe

Filesize
407KB

MD5
3f6264634cfc717f693ca4087f280abb

SHA1
9815e65a6df52afb3840f58570ec9eccf5f43e3e

SHA256
4f97ad6a594c6d6fc94c5c033d364a66306d6c829d313ae64fb778b07f30174b

SHA512
fe09623b9681b967a781fd604c4fa1f2603fe6bf54be4d1cbbf5c80119cb6cf7d7ab907dae7db5592d939756ccb79e0cafc3cd176822c717a56c8d16340378fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
264B

MD5
3c181f23c4736de97dd0766ae58815a3

SHA1
0014ab88cd3d1fd7980ba6f3b709b987a0dcae7b

SHA256
32bc6b75b0f5dd44e13755112550e42f7f14d19cf98e9c3c57c71b987354ef43

SHA512
d48f0eb74a08e5c74897027620c7d358d0ee35a02a5f398857b96c6ab8c05df64fe3fd0b2a8f2fa3d3aa8ffb9e0c148ee5a867bfc48e0a30242b5b5af341c5fb

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-55-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-66-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing