ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad

General

Target

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Size

1.5MB
MD5

44337c0892b51caf7a8c361773f9b20a
SHA1

5cb1c78ba10e533f3fd286a85d65da9713ab4c4a
SHA256

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad
SHA512

100aabac2017fc8bd8181e6ba7c232bf9a773c64cbec3225bd27da1ed13b28259f9e49fec065cc17808cf861465746c7a185b0452a971c1ff13ef927a9c88e92
SSDEEP

24576:NM3q4FxNTcsDWDAG6R9CYu8ZnxuZm6i/hlY0MLZDRJweuaMTSDPoW:+37Fg167n1/LiLOcMTSbo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Asynchronous = "1"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Impersonate = "0"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\DllName = "windows.dll"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logon = "Executeapi"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Drops file in System32 directory 3 IoCs

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

pid	process
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

pid	process
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

pid	process
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
1380	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "12"	ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe

C:\Users\Admin\AppData\Local\Temp\ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe
"C:\Users\Admin\AppData\Local\Temp\ba6e61bf6527a84527711600e3a577a1f648308c8b0ba5aed09935dbed3f8fad.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1380