3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075

General

Target

3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe
Size

560KB
MD5

7a8b79f6198be5fe36640f7fdf741ac8
SHA1

d56891507deb4f41ef847a6b6a8cacb56022a198
SHA256

3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075
SHA512

738be43619ecf55be3f115514c523c17d6cac0ce967eb6566c37d98fa68818efe34b1bf1b1b7be2bd335dbca10134573d427f5e57c8dbb3454d1b69619488f87
SSDEEP

12288:9LoFjUa8qc3zvJVTabu6rYHXbHEVpTjQ8Jay5q0:faHcjvDEu68HX7CjfJ7q0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
884	Setup.exe
4992	SETUP~1.EXE
4884	SETUP~1.tmp

Loads dropped DLL 2 IoCs

pid	Process
4884	SETUP~1.tmp
4884	SETUP~1.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
884	Setup.exe
884	Setup.exe
884	Setup.exe
884	Setup.exe
884	Setup.exe
884	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	Setup.exe
Token: SeDebugPrivilege	884	Setup.exe
Token: SeDebugPrivilege	884	Setup.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 884	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	78
PID 5104 wrote to memory of 884	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	78
PID 5104 wrote to memory of 884	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	78
PID 884 wrote to memory of 2824	884	Setup.exe	44
PID 5104 wrote to memory of 4992	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	79
PID 5104 wrote to memory of 4992	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	79
PID 5104 wrote to memory of 4992	5104	3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe	79
PID 4992 wrote to memory of 4884	4992	SETUP~1.EXE	80
PID 4992 wrote to memory of 4884	4992	SETUP~1.EXE	80
PID 4992 wrote to memory of 4884	4992	SETUP~1.EXE	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2824
- C:\Users\Admin\AppData\Local\Temp\3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe
  "C:\Users\Admin\AppData\Local\Temp\3952a8f8ec7e05c5739265bc1e135f6713062c77453bea9a43027918fd75f075.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\is-TIV1R.tmp\SETUP~1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TIV1R.tmp\SETUP~1.tmp" /SL5="$80028,54272,0,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP~1.EXE

Filesize
351KB

MD5
5cf38d6cef964888fa34f93645069ab2

SHA1
e88fe4b642ddfe6ee352b0029506cdd6610a3cef

SHA256
e4cad2f5f335716ed22781ebc47309aa464d34acb61b38b22a41dc590694832d

SHA512
657620cf1410dfb2df537a30fb61e6009999734f7b6a10f52cb33d27c18eb3519033c842ddb02a02240a7a844c6e0b5d2ac0687bbd2d74e346ac7a037a25b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP~1.EXE

Filesize
351KB

MD5
5cf38d6cef964888fa34f93645069ab2

SHA1
e88fe4b642ddfe6ee352b0029506cdd6610a3cef

SHA256
e4cad2f5f335716ed22781ebc47309aa464d34acb61b38b22a41dc590694832d

SHA512
657620cf1410dfb2df537a30fb61e6009999734f7b6a10f52cb33d27c18eb3519033c842ddb02a02240a7a844c6e0b5d2ac0687bbd2d74e346ac7a037a25b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
195KB

MD5
1db53f2daeab5ad44f2c3f5bd9dc21ee

SHA1
8cc64ed2ac92579e525e635a1ed7b2be86e0c600

SHA256
fc27dfcec54d5323a23d79c4648bab69eb0e9c0f1f10259f0a02dfd312439771

SHA512
ed8618113c690632381bd5109ec8bf1e0b533fb33cf1e5f38f8ab1105d2820c039b6079e116c4ac2b8f2603941d7a5f43c2ebce2e2d3ff6877b9ca0461693016

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
195KB

MD5
1db53f2daeab5ad44f2c3f5bd9dc21ee

SHA1
8cc64ed2ac92579e525e635a1ed7b2be86e0c600

SHA256
fc27dfcec54d5323a23d79c4648bab69eb0e9c0f1f10259f0a02dfd312439771

SHA512
ed8618113c690632381bd5109ec8bf1e0b533fb33cf1e5f38f8ab1105d2820c039b6079e116c4ac2b8f2603941d7a5f43c2ebce2e2d3ff6877b9ca0461693016

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A22D9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A22D9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TIV1R.tmp\SETUP~1.tmp

Filesize
677KB

MD5
c04af2e8479e97b7734a912456464ca8

SHA1
abc4a5744c5a48bde3644ed92fc8a685d56cd60b

SHA256
9e18f7e9753f2951bf13f8cd2e972202af5d87b21b54a5e2b2bc53e1285ead48

SHA512
6b820ecb369e0b86acdade06d17552b2c9aa953bc3b65dff52eb4388393bbe5b36eaa9518f86d3f25ea2758fe3b03b184a74f2585268d6063c2ff8a4e72a132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TIV1R.tmp\SETUP~1.tmp

Filesize
677KB

MD5
c04af2e8479e97b7734a912456464ca8

SHA1
abc4a5744c5a48bde3644ed92fc8a685d56cd60b

SHA256
9e18f7e9753f2951bf13f8cd2e972202af5d87b21b54a5e2b2bc53e1285ead48

SHA512
6b820ecb369e0b86acdade06d17552b2c9aa953bc3b65dff52eb4388393bbe5b36eaa9518f86d3f25ea2758fe3b03b184a74f2585268d6063c2ff8a4e72a132c

Download Submit
memory/884-136-0x0000000001F70000-0x0000000001FA9000-memory.dmp

Filesize
228KB

Download
memory/884-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4884-150-0x00000000031F1000-0x00000000031F3000-memory.dmp

Filesize
8KB

Download
memory/4992-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4992-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4992-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing