f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f

General

Target

f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe
Size

6.1MB
MD5

376e2290dc687d4c9c86f3772f0986db
SHA1

3faaf13bb547204a48fe86a3515ca74b82ff7fc7
SHA256

f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f
SHA512

2a7155a8d5db121ce14d5af93d5b904be3154d4021b2b33441a605894a2fbfba052eb461e33bf67ea5e266695d306188472e17cb2e17cb1bd7936dce2eb3f97a
SSDEEP

196608:mrFv1KtfLH7v6YXBUQ6ZVkfD7L0EpUelybX:mrFv1qLH+YXDfDn0Epplyz

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1996	netsh.exe
1988	netsh.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\debugger = "regedit /s"	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\FoxPlugin = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe\""	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 840	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	28
PID 1880 wrote to memory of 840	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	28
PID 1880 wrote to memory of 840	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	28
PID 1880 wrote to memory of 840	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	28
PID 1880 wrote to memory of 2000	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	30
PID 1880 wrote to memory of 2000	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	30
PID 1880 wrote to memory of 2000	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	30
PID 1880 wrote to memory of 2000	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	30
PID 840 wrote to memory of 1996	840	cmd.exe	32
PID 840 wrote to memory of 1996	840	cmd.exe	32
PID 840 wrote to memory of 1996	840	cmd.exe	32
PID 840 wrote to memory of 1996	840	cmd.exe	32
PID 2000 wrote to memory of 1988	2000	cmd.exe	33
PID 2000 wrote to memory of 1988	2000	cmd.exe	33
PID 2000 wrote to memory of 1988	2000	cmd.exe	33
PID 2000 wrote to memory of 1988	2000	cmd.exe	33
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34
PID 1880 wrote to memory of 1080	1880	f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe	34

C:\Users\Admin\AppData\Local\Temp\f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe
"C:\Users\Admin\AppData\Local\Temp\f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe"
1⤵
- Sets file execution options in registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="671259667472846017" dir=out action=block program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" enable=yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="671259667472846017" dir=out action=block program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="58940915511132390" dir=out action=block program="C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe" enable=yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="58940915511132390" dir=out action=block program="C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1988
- C:\Users\Admin\AppData\Local\Temp\f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe
  "C:\Users\Admin\AppData\Local\Temp\f019177d9b708c61a431eb724b361161ad3d85561cd790ba4aab2081cf47355f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-63-0x00000000008E0000-0x0000000000FFB000-memory.dmp

Filesize
7.1MB

Download
memory/1080-70-0x00000000008E0000-0x0000000000FFB000-memory.dmp

Filesize
7.1MB

Download
memory/1080-69-0x00000000008E0000-0x0000000000FFB000-memory.dmp

Filesize
7.1MB

Download
memory/1080-67-0x00000000008E0000-0x0000000000FFB000-memory.dmp

Filesize
7.1MB

Download
memory/1080-65-0x00000000008E0000-0x0000000000FFB000-memory.dmp

Filesize
7.1MB

Download
memory/1880-62-0x0000000000180000-0x0000000000189000-memory.dmp

Filesize
36KB

Download
memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1880-61-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads