57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d

General

Target

57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
Size

298KB
MD5

dc604cc2ab66e0032438fc9fc5fac14a
SHA1

ec8cb465b71bb2996c62b4e61d2f854aa5f2e08a
SHA256

57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d
SHA512

15bc431ad3d83833740d12b3fabb0e63448538621680321becd8cf7a40739386b227f02d77c2c6e4589f2ecc65c616dacd876e4bec04fe18ba0edfb1faf7ef1b
SSDEEP

6144:F5cp5Xtlc5AOYKlJ8NdULIUxm6EEBtt4lA2d2WSwggC4H/uuH:F5W3l+hwUkiFEEBDlgAwlC4HfH

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1380768984 = "C:\\ProgramData\\msrcgb.exe"	msiexec.exe

Blocklisted process makes network request 7 IoCs

Processes:

msiexec.exe

flow pid process

4 1044 msiexec.exe
5 1044 msiexec.exe
7 1044 msiexec.exe
8 1044 msiexec.exe
39 1044 msiexec.exe
40 1044 msiexec.exe
43 1044 msiexec.exe
Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

F7E8.tmp25CC.tmp

pid process

1628 F7E8.tmp
668 25CC.tmp
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6807533.exe explorer.exe

flow	pid	process
4	1044	msiexec.exe
5	1044	msiexec.exe
7	1044	msiexec.exe
8	1044	msiexec.exe
39	1044	msiexec.exe
40	1044	msiexec.exe
43	1044	msiexec.exe

pid	process
1628	F7E8.tmp
668	25CC.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6807533.exe	explorer.exe

Loads dropped DLL 4 IoCs

Processes:

57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe

pid	process
1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*680753 = "C:\\b6807533\\b6807533.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6807533 = "C:\\Users\\Admin\\AppData\\Roaming\\b6807533.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*6807533 = "C:\\Users\\Admin\\AppData\\Roaming\\b6807533.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\b680753 = "C:\\b6807533\\b6807533.exe"	explorer.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-addr.es
13 myexternalip.com
15 myexternalip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2024 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

F7E8.tmpmsiexec.exe

pid process

1628 F7E8.tmp
1044 msiexec.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

F7E8.tmp25CC.tmpexplorer.exe

pid process

1628 F7E8.tmp
1628 F7E8.tmp
1628 F7E8.tmp
668 25CC.tmp
1824 explorer.exe

flow	ioc
11	ip-addr.es
13	myexternalip.com
15	myexternalip.com

pid	process
2024	vssadmin.exe

pid	process
1628	F7E8.tmp
1044	msiexec.exe

pid	process
1628	F7E8.tmp
1628	F7E8.tmp
1628	F7E8.tmp
668	25CC.tmp
1824	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

msiexec.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1044	msiexec.exe
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exeF7E8.tmp25CC.tmpexplorer.exe

description	pid	process	target process
PID 1380 wrote to memory of 1628	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	F7E8.tmp
PID 1380 wrote to memory of 1628	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	F7E8.tmp
PID 1380 wrote to memory of 1628	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	F7E8.tmp
PID 1380 wrote to memory of 1628	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	F7E8.tmp
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1876	1628	F7E8.tmp	msiexec.exe
PID 1380 wrote to memory of 668	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	25CC.tmp
PID 1380 wrote to memory of 668	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	25CC.tmp
PID 1380 wrote to memory of 668	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	25CC.tmp
PID 1380 wrote to memory of 668	1380	57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe	25CC.tmp
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 1628 wrote to memory of 1044	1628	F7E8.tmp	msiexec.exe
PID 668 wrote to memory of 1824	668	25CC.tmp	explorer.exe
PID 668 wrote to memory of 1824	668	25CC.tmp	explorer.exe
PID 668 wrote to memory of 1824	668	25CC.tmp	explorer.exe
PID 668 wrote to memory of 1824	668	25CC.tmp	explorer.exe
PID 1824 wrote to memory of 524	1824	explorer.exe	svchost.exe
PID 1824 wrote to memory of 524	1824	explorer.exe	svchost.exe
PID 1824 wrote to memory of 524	1824	explorer.exe	svchost.exe
PID 1824 wrote to memory of 524	1824	explorer.exe	svchost.exe
PID 1824 wrote to memory of 2024	1824	explorer.exe	vssadmin.exe
PID 1824 wrote to memory of 2024	1824	explorer.exe	vssadmin.exe
PID 1824 wrote to memory of 2024	1824	explorer.exe	vssadmin.exe
PID 1824 wrote to memory of 2024	1824	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe
"C:\Users\Admin\AppData\Local\Temp\57187a5aae14cd5372b0fdcc6865f5ae644c4aa478a42b86786a69426ecb949d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\F7E8.tmp
C:\Users\Admin\AppData\Local\Temp\F7E8.tmp
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe"
3⤵
PID:1876

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\25CC.tmp
C:\Users\Admin\AppData\Local\Temp\25CC.tmp
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
PID:524

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

4

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25CC.tmp
Filesize
129KB

MD5
07b4592c97a1463e510c54dfc7397a32

SHA1
96b4c25879ede0a923f5cfead45ae1f5a75a40a6

SHA256
7d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130

SHA512
c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\25CC.tmp
Filesize
129KB

MD5
07b4592c97a1463e510c54dfc7397a32

SHA1
96b4c25879ede0a923f5cfead45ae1f5a75a40a6

SHA256
7d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130

SHA512
c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7E8.tmp
Filesize
16KB

MD5
b5267674f2a52871b54bc2ba8e931fcf

SHA1
ff6fa062e0dde9f50d6a430f4b360781c583f9d9

SHA256
b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd

SHA512
98a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7E8.tmp
Filesize
16KB

MD5
b5267674f2a52871b54bc2ba8e931fcf

SHA1
ff6fa062e0dde9f50d6a430f4b360781c583f9d9

SHA256
b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd

SHA512
98a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f

Download Submit
\Users\Admin\AppData\Local\Temp\25CC.tmp
Filesize
129KB

MD5
07b4592c97a1463e510c54dfc7397a32

SHA1
96b4c25879ede0a923f5cfead45ae1f5a75a40a6

SHA256
7d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130

SHA512
c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1

Download Submit
\Users\Admin\AppData\Local\Temp\25CC.tmp
Filesize
129KB

MD5
07b4592c97a1463e510c54dfc7397a32

SHA1
96b4c25879ede0a923f5cfead45ae1f5a75a40a6

SHA256
7d3cb54f874eb54212f2f77fc6e8e9e0808b3a4c95584fdb18411583f01eb130

SHA512
c906b35334b52ecf270a64b3b1ee7be9e5673bd19cd93f825440cd0c98c0cda402cd0ea1f5695f36dab175ba74293600bea8f8405d6178aee53873fbacbfb5f1

Download Submit
\Users\Admin\AppData\Local\Temp\F7E8.tmp
Filesize
16KB

MD5
b5267674f2a52871b54bc2ba8e931fcf

SHA1
ff6fa062e0dde9f50d6a430f4b360781c583f9d9

SHA256
b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd

SHA512
98a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f

Download Submit
\Users\Admin\AppData\Local\Temp\F7E8.tmp
Filesize
16KB

MD5
b5267674f2a52871b54bc2ba8e931fcf

SHA1
ff6fa062e0dde9f50d6a430f4b360781c583f9d9

SHA256
b6f74672c8b776125cfecc007e5a3eaf46fa64ea70df089f4c5997d303aad9dd

SHA512
98a82ae906ea088cd9bda73fde871df2d55df13176387b0bc3cdd313824106bfd2e3647885987097b7e0d9e5f0e292feb19dfa9072020ffedf012e047b91293f

Download Submit
memory/524-85-0x0000000000000000-mapping.dmp

Download
memory/524-88-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/668-69-0x0000000000000000-mapping.dmp

Download
memory/1044-89-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/1044-83-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/1044-73-0x0000000000000000-mapping.dmp

Download
memory/1380-65-0x0000000000400000-0x0000000002535000-memory.dmp

Filesize
33.2MB

Download
memory/1380-56-0x0000000000310000-0x0000000000332000-memory.dmp

Filesize
136KB

Download
memory/1380-54-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1380-57-0x0000000000400000-0x0000000002535000-memory.dmp

Filesize
33.2MB

Download
memory/1380-91-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1380-62-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1380-90-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1380-55-0x00000000746D1000-0x00000000746D3000-memory.dmp

Filesize
8KB

Download
memory/1380-63-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1628-71-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/1628-64-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1628-60-0x0000000000000000-mapping.dmp

Download
memory/1824-82-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/1824-80-0x0000000073E91000-0x0000000073E93000-memory.dmp

Filesize
8KB

Download
memory/1824-76-0x0000000000000000-mapping.dmp

Download
memory/1876-78-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1876-77-0x0000000000B00000-0x0000000000B14000-memory.dmp

Filesize
80KB

Download
memory/1876-72-0x0000000000000000-mapping.dmp

Download
memory/2024-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads