0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029

General

Target

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
Size

839KB
MD5

d1a1649bcaf5f66c8e47001b686223ab
SHA1

c6c6335becb2d80faeec1ee05dd185fc6b1c115e
SHA256

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029
SHA512

d25ff5e8599b8fd47af09b57961f9410925c9db3addc38603bdbbf1974a299dedc15a6def373d90d68d7344e1ed7e2a58bb922a0abd7f05c254bdfc6356d0d4e
SSDEEP

12288:5tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgar5006A:5tb20pkaCqT5TBWgNQ7ar5006A

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\49688 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mscztmb.com"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe"	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\WerFault.exe svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WerFault.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

description	pid	process	target process
PID 1728 set thread context of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\mscztmb.com svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\mscztmb.com	svchost.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

pid	process
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

pid	process
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2000 AcroRd32.exe
2000 AcroRd32.exe

pid	process
2000	AcroRd32.exe
2000	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exerundll32.exe

description	pid	process	target process
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 856	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	rundll32.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 1728 wrote to memory of 2012	1728	0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe	WerFault.exe
PID 856 wrote to memory of 2000	856	rundll32.exe	AcroRd32.exe
PID 856 wrote to memory of 2000	856	rundll32.exe	AcroRd32.exe
PID 856 wrote to memory of 2000	856	rundll32.exe	AcroRd32.exe
PID 856 wrote to memory of 2000	856	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe
"C:\Users\Admin\AppData\Local\Temp\0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Windows
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Windows"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  "C:\Windows\SysWOW64\WerFault.exe"
  2⤵
  PID:2012
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows

Filesize
839KB

MD5
d1a1649bcaf5f66c8e47001b686223ab

SHA1
c6c6335becb2d80faeec1ee05dd185fc6b1c115e

SHA256
0a53a3956545184321a464360f833aa8c0f3f86033e4c4fb7717ea4fab5d1029

SHA512
d25ff5e8599b8fd47af09b57961f9410925c9db3addc38603bdbbf1974a299dedc15a6def373d90d68d7344e1ed7e2a58bb922a0abd7f05c254bdfc6356d0d4e

Download Submit
memory/856-55-0x0000000000000000-mapping.dmp

Download
memory/1316-62-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1316-66-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1728-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download
memory/2012-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2012-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2012-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2012-60-0x000000000040141C-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads