f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2

General

Target

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
Size

1.3MB
MD5

41f2a423f4fb9d6eb43a39f4d20afcbf
SHA1

c1da163b26af40d5c51350f593273af25d8aa091
SHA256

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2
SHA512

aaf8013b0601e6d181c45be8f8f6638e4f7797f8154a115b8dd9ffb571a48295c3daf5be85f41086161472b2e13986fcd9895f3ce3733a3b3493e7fe8ff5ea14
SSDEEP

24576:poJL/y54Kf1pWfrLshb3EbEZ1YqIE+LbYi:m/b6pELsDEbs1JCLv

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\note\\file.exe"	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1392 timeout.exe

pid	process
1392	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

pid	process
520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

description pid process

Token: SeDebugPrivilege 520 f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

description	pid	process
Token: SeDebugPrivilege	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 608	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 520 wrote to memory of 1996	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 608 wrote to memory of 1496	608	cmd.exe	wscript.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1012	1496	wscript.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1616	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 1616 wrote to memory of 1392	1616	cmd.exe	timeout.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe
PID 520 wrote to memory of 1084	520	f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
"C:\Users\Admin\AppData\Local\Temp\f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\note\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\note\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\note\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\note\mata2.bat" "
4⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
C:\Users\Admin\AppData\Local\Temp\f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2.exe
2⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\note\stres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\note\melt.bat
2⤵
PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\note\file.exe
Filesize
1.3MB

MD5
41f2a423f4fb9d6eb43a39f4d20afcbf

SHA1
c1da163b26af40d5c51350f593273af25d8aa091

SHA256
f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2

SHA512
aaf8013b0601e6d181c45be8f8f6638e4f7797f8154a115b8dd9ffb571a48295c3daf5be85f41086161472b2e13986fcd9895f3ce3733a3b3493e7fe8ff5ea14

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\mata.bat
Filesize
57B

MD5
0b9467e20db57abea9cf8c8370f9f7ba

SHA1
2daddffd9b33830ccf7d106e56cd6b77aa8c3ed2

SHA256
41074a3530b1fe470152dc4a8bb95d7f3fde81a432e50f48c9510ea5cad4360e

SHA512
0878f1e715c6eed6af7641b0c756f3a0172dbecf4d7d28313162d8a3d3fa00b9dd8fc85c16a6cb6d637c5ea226e90c54c75c4b19987f8265541ceec0e0b3165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\mata2.bat
Filesize
59B

MD5
9a352502cbc8c73a8d75a9a47e8fd897

SHA1
b498808971f46952958e260e687734f728340d1b

SHA256
811499b525b8cfc5251ffdc7f1bde52e4875d4a77ec060b93ca5ec4badcee106

SHA512
3517f93506789e2c883ce684f6f20085aad7b7d360ebe649483b36d56cd4e0f1d958d0c7e5d14925d12da5799f5cd57be15b590185b50c492ed960e05f35667c

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\melt.bat
Filesize
120B

MD5
5cfea27bcd74cc82e2fcb4b132dc6d8e

SHA1
e22c7f310dcb95509013dc2b73b3e66bd03bfde6

SHA256
2796cef953ebca2bb22b5b03e55cf25c0dd467aa281f1c3f73ba0274b5b0e696

SHA512
85912d0fce6724af19e2ca9888190b88b28272202846ce7e57a13550e0d65fdc4f9a901689cdf36175948a29c6afc530df183cbd936bbe54bc8bda821745b40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\rundll11-.txt
Filesize
1.3MB

MD5
41f2a423f4fb9d6eb43a39f4d20afcbf

SHA1
c1da163b26af40d5c51350f593273af25d8aa091

SHA256
f901fad33d84fcee5c5c6ca16b9ac0fac7dfaa18fcf73d953d11a492b37285c2

SHA512
aaf8013b0601e6d181c45be8f8f6638e4f7797f8154a115b8dd9ffb571a48295c3daf5be85f41086161472b2e13986fcd9895f3ce3733a3b3493e7fe8ff5ea14

Download Submit
C:\Users\Admin\AppData\Local\Temp\note\stres.bat
Filesize
205B

MD5
44be212d04f368198307b46fda726f75

SHA1
aba07de92e27fc3acd80f39a9e9594017e759490

SHA256
257083bba5fc6b78d24413a13c1e503569c0f9de3616874a355762cee1fe4660

SHA512
5d176a208da93f5cfb104ae9beb147a19270a3d0ebcbf534e2dac4f2e2657b64075e62697a234290d7e2be3b14eba7d19f55d8c00c96a7a05f1e09775e95e77b

Download Submit
memory/520-55-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/520-56-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/520-76-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/520-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/608-57-0x0000000000000000-mapping.dmp

Download
memory/1012-64-0x0000000000000000-mapping.dmp

Download
memory/1084-73-0x0000000000000000-mapping.dmp

Download
memory/1392-70-0x0000000000000000-mapping.dmp

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1616-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads