96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b

General

Target

96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
Size

2.1MB
MD5

459c65a890bd3c0f52be76b859ede9b9
SHA1

b451cd2a3f1dfcc6cf54cb7d70d77026a7e657cc
SHA256

96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b
SHA512

6e02c8950c464df02b180206def791e4a95a1029a355125fdde0dbde6345efad8ef6ae03a24a5fd93a465c538f3d4d49df09599d91ee299f4caebaf0d891e151
SSDEEP

49152:xnI+3haRPkfiaYeSqVKGPzReJ6xXxaEcT9Y:p3haRU7VL9eUkv

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe"	reg.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

308 timeout.exe

pid	process
308	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

pid	process
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

description	pid	process
Token: SeDebugPrivilege	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
Token: 33	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
Token: SeIncBasePriorityPrivilege	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.execmd.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 5016 wrote to memory of 1804	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 1804	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 1804	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 1804 wrote to memory of 528	1804	cmd.exe	wscript.exe
PID 1804 wrote to memory of 528	1804	cmd.exe	wscript.exe
PID 1804 wrote to memory of 528	1804	cmd.exe	wscript.exe
PID 5016 wrote to memory of 4300	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	svhost.exe
PID 5016 wrote to memory of 4300	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	svhost.exe
PID 5016 wrote to memory of 4300	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	svhost.exe
PID 528 wrote to memory of 1688	528	wscript.exe	cmd.exe
PID 528 wrote to memory of 1688	528	wscript.exe	cmd.exe
PID 528 wrote to memory of 1688	528	wscript.exe	cmd.exe
PID 1688 wrote to memory of 2548	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 2548	1688	cmd.exe	reg.exe
PID 1688 wrote to memory of 2548	1688	cmd.exe	reg.exe
PID 5016 wrote to memory of 3584	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 3584	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 3584	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 2012	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 2012	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 5016 wrote to memory of 2012	5016	96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe	cmd.exe
PID 3584 wrote to memory of 308	3584	cmd.exe	timeout.exe
PID 3584 wrote to memory of 308	3584	cmd.exe	timeout.exe
PID 3584 wrote to memory of 308	3584	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe
"C:\Users\Admin\AppData\Local\Temp\96e66719028bcc98ba86fef16ce7acd4a056c5143af9748a02a268380aedb29b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\svhostf\svhost1.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\svhostf\svhostvbs.vbs" "C:\Users\Admin\AppData\Roaming\svhostf\svhost2.bat"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\svhostf\svhost2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:2548

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
2⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
Filesize
120B

MD5
12d1029da36b488314dc35656866fca1

SHA1
377a3158efed61429e5a134004fe0162490af548

SHA256
c44934690180852dd7b6a3230eedb38624d2344b5a58be79b1d2884ade85abf7

SHA512
47e6cddc99d615051c1a7b13c59bc595f2dce6441cc0d12dd47310e8ddc4a14a6f0e4f411fab25868588265b252e4f25e0f0cb4c990526e5bd644c15611b6f52

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat
Filesize
196B

MD5
181947f11b6ff0823cb276d1be9c20d4

SHA1
9c9abb2c164f7fb86b1bc1baa56930033e24756f

SHA256
664de7dcd9d4d660a229221649c99e9b0c2e475496cea7bc4aed0e51a97ccc1e

SHA512
f043150d12dc52c7889ef6ee0ec8d1b111a4f54e62801c5804f42c645af57b0fbd757062a236c0da7402ee9ec7b83b9aeb4d49fe314b2fc03a1e3f5f689dbbbb

Download Submit
C:\Users\Admin\AppData\Roaming\svhostf\svhost1.bat
Filesize
77B

MD5
4d8611db3ae453d5d525a3fddb374566

SHA1
4ee9358a4fb6efd22c12d57c7c4ac1a9dcd5a138

SHA256
812220adf3859abc78b9139496a6a303c43d73a14edc6936c555b98dfd199c88

SHA512
ef7a3d54734f37ab23bfc04bfd79b2ee1325e1c6f4885f57163e7df235974d5c4a5ca91cdb01dedea65167a5e996bf53aaebc1d17ec559fb8b9587a42456bb28

Download Submit
C:\Users\Admin\AppData\Roaming\svhostf\svhost2.bat
Filesize
270B

MD5
8d6cc7f171b92e2d9fab4e6a6d176fbd

SHA1
19352999592f94e1e6afdbe6af198447481fc4fa

SHA256
49812b971c53685525df0b4c072cbdbc816aeddb47a09e244a3417cbf903fb34

SHA512
11933ecd91aaac2f87f824e00efeb217171fe94eceb3a3a560ab5e405c635a9660b00293711a38c5993233cca0cfa6c36fd72ea2beeca633c84502c0a97cefb3

Download Submit
C:\Users\Admin\AppData\Roaming\svhostf\svhostvbs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
memory/308-146-0x0000000000000000-mapping.dmp

Download
memory/528-135-0x0000000000000000-mapping.dmp

Download
memory/1688-139-0x0000000000000000-mapping.dmp

Download
memory/1804-133-0x0000000000000000-mapping.dmp

Download
memory/2012-143-0x0000000000000000-mapping.dmp

Download
memory/2548-140-0x0000000000000000-mapping.dmp

Download
memory/3584-142-0x0000000000000000-mapping.dmp

Download
memory/4300-136-0x0000000000000000-mapping.dmp

Download
memory/5016-144-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5016-141-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/5016-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads