b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48

General

Target

b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe
Size

809KB
MD5

9fa89d305d099f16e1fc13048efa6e98
SHA1

3dca0f3ffe53c3a90d33d10ee9656407587b625f
SHA256

b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48
SHA512

5a7493cc56b634fea0d82c6cdaa0d88d51a77aa850e99a9494043df2bc06dfe55ab57913e038b1ad04330ec94aa1cae86dc412d504bec38c57f849a6c9527760
SSDEEP

24576:n2Qoqtcz49Sznsb9q0wK6e9D08IxDL+dznt9103yv:lb849UnsJvzJnOnizntU3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	privacy.exe

Loads dropped DLL 3 IoCs

pid	Process
960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe
960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe
960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	privacy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection = "C:\\ProgramData\\privacy.exe"	privacy.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	privacy.exe
File opened (read-only)	\??\O:	privacy.exe
File opened (read-only)	\??\R:	privacy.exe
File opened (read-only)	\??\V:	privacy.exe
File opened (read-only)	\??\X:	privacy.exe
File opened (read-only)	\??\N:	privacy.exe
File opened (read-only)	\??\Q:	privacy.exe
File opened (read-only)	\??\S:	privacy.exe
File opened (read-only)	\??\Z:	privacy.exe
File opened (read-only)	\??\E:	privacy.exe
File opened (read-only)	\??\G:	privacy.exe
File opened (read-only)	\??\H:	privacy.exe
File opened (read-only)	\??\I:	privacy.exe
File opened (read-only)	\??\Y:	privacy.exe
File opened (read-only)	\??\T:	privacy.exe
File opened (read-only)	\??\U:	privacy.exe
File opened (read-only)	\??\W:	privacy.exe
File opened (read-only)	\??\F:	privacy.exe
File opened (read-only)	\??\J:	privacy.exe
File opened (read-only)	\??\L:	privacy.exe
File opened (read-only)	\??\M:	privacy.exe
File opened (read-only)	\??\P:	privacy.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	privacy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe
1528	privacy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1528	privacy.exe
1528	privacy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1528	960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe	28
PID 960 wrote to memory of 1528	960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe	28
PID 960 wrote to memory of 1528	960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe	28
PID 960 wrote to memory of 1528	960	b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe	28

C:\Users\Admin\AppData\Local\Temp\b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe
"C:\Users\Admin\AppData\Local\Temp\b7250785bbcb7676b32f4d0dbca4bfb1ed4e0f84ad28a2bbac10b4c695cb5f48.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:960
- C:\ProgramData\privacy.exe
  C:\ProgramData\privacy.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\privacy.exe

Filesize
797KB

MD5
66efb21472b33a6229616869ad5f0724

SHA1
f7e64181a7ddccfc599952032a6b40e02e8e8681

SHA256
b64f7e0037e944e34a5b665ed3b3d4a64371f65a77ec0d2a9b007528cfd2cc1a

SHA512
1bdf5ac3e23027fdb0fdd7140accf36f12bfb99b7f08881aa29882ea00255255ce3aef450041a9e95d30513e8bf30895b99bfccbbf78923054dd2e5cd043d50d

Download Submit
\ProgramData\privacy.exe

Filesize
797KB

MD5
66efb21472b33a6229616869ad5f0724

SHA1
f7e64181a7ddccfc599952032a6b40e02e8e8681

SHA256
b64f7e0037e944e34a5b665ed3b3d4a64371f65a77ec0d2a9b007528cfd2cc1a

SHA512
1bdf5ac3e23027fdb0fdd7140accf36f12bfb99b7f08881aa29882ea00255255ce3aef450041a9e95d30513e8bf30895b99bfccbbf78923054dd2e5cd043d50d

Download Submit
\ProgramData\privacy.exe

Filesize
797KB

MD5
66efb21472b33a6229616869ad5f0724

SHA1
f7e64181a7ddccfc599952032a6b40e02e8e8681

SHA256
b64f7e0037e944e34a5b665ed3b3d4a64371f65a77ec0d2a9b007528cfd2cc1a

SHA512
1bdf5ac3e23027fdb0fdd7140accf36f12bfb99b7f08881aa29882ea00255255ce3aef450041a9e95d30513e8bf30895b99bfccbbf78923054dd2e5cd043d50d

Download Submit
\ProgramData\privacy.exe

Filesize
797KB

MD5
66efb21472b33a6229616869ad5f0724

SHA1
f7e64181a7ddccfc599952032a6b40e02e8e8681

SHA256
b64f7e0037e944e34a5b665ed3b3d4a64371f65a77ec0d2a9b007528cfd2cc1a

SHA512
1bdf5ac3e23027fdb0fdd7140accf36f12bfb99b7f08881aa29882ea00255255ce3aef450041a9e95d30513e8bf30895b99bfccbbf78923054dd2e5cd043d50d

Download Submit
memory/960-56-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/960-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/960-67-0x0000000002400000-0x0000000002500000-memory.dmp

Filesize
1024KB

Download
memory/1528-63-0x0000000000400000-0x0000000000B0A000-memory.dmp

Filesize
7.0MB

Download
memory/1528-65-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/1528-66-0x0000000000400000-0x0000000000B0A000-memory.dmp

Filesize
7.0MB

Download
memory/1528-68-0x0000000000400000-0x0000000000B0A000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing