34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900

General

Target

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Size

192KB
MD5

943f756626ce91cde9b9246e26642039
SHA1

a633aa256f687d95fa746efcb8d8c55da309b879
SHA256

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900
SHA512

125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8
SSDEEP

3072:E2tbXewZT3vviEj3IbQhbElPYSIeXkOAAeSTYSijsFCOJHeI6Awd:E2tbX/v8bQ653BXktVSsTSCOhDc

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

pid process

868 34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

pid	process
868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

description	pid	process
Token: SeDebugPrivilege	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Token: 33	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
Token: SeIncBasePriorityPrivilege	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 2032	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 868 wrote to memory of 2032	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 868 wrote to memory of 2032	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 868 wrote to memory of 2032	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	cmd.exe
PID 868 wrote to memory of 1756	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 868 wrote to memory of 1756	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 868 wrote to memory of 1756	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 868 wrote to memory of 1756	868	34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe	notepad .exe
PID 2032 wrote to memory of 1916	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1916	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1916	2032	cmd.exe	wscript.exe
PID 2032 wrote to memory of 1916	2032	cmd.exe	wscript.exe
PID 1916 wrote to memory of 2008	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 2008	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 2008	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 2008	1916	wscript.exe	cmd.exe
PID 2008 wrote to memory of 1748	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1748	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1748	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 1748	2008	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe
"C:\Users\Admin\AppData\Local\Temp\34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1748

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
192KB

MD5
943f756626ce91cde9b9246e26642039

SHA1
a633aa256f687d95fa746efcb8d8c55da309b879

SHA256
34253c7c851a1d2e24ccaf5f6e6828ab9f2145c79967b2d0abf1740b7a9fd900

SHA512
125109e78c64516b30de6d757c5d36e8d69ecc8efb3e4a9780e8a2ba130ad3d079b6f702023d353e6168a2d14cf0357482373047fd02b7edc29ffc266323bee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
4a348e658b3bece507de24309737f37e

SHA1
4abb0d9acf447d8ae8f2c4ffbdde71f74df0eb6e

SHA256
fe0ccea8e63ad44a98bce2497dede9f5387c4596427e847686f7595301b1e15f

SHA512
c285c3c8f5cbf16d1351d3771abec41970eb0c47211d6102057367f0aa5674ee745520aafa55f4383f6386bb1ec9b5329705added4d75a77ba58dcdc487c0ddd

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/868-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/868-66-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/868-67-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-64-0x0000000000000000-mapping.dmp

Download
memory/1916-59-0x0000000000000000-mapping.dmp

Download
memory/2008-63-0x0000000000000000-mapping.dmp

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads