f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

General

Target

f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
Size

645KB
MD5

eddb82bbad579385c225abd94591b56f
SHA1

27a588a4770aa301546157a3afcd3abe8f8a5c61
SHA256

f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0
SHA512

ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b
SSDEEP

1536:3v+gWn0/aKcTnbrGUfiZN5CfIUQ6rvOgOZlk9I/+kcg3Fteso7oJ9uuaxsp9OiSG:TWuaKcTOMIcvgfRwkjMFNTS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1572	usersint.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7880F99D-BC3G-14DF-89AS-1190DR808E85}	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7880F99D-BC3G-14DF-89AS-1190DR808E85}\StubPath = "C:\\Windows\\system32\\usersint.exe"	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Loads dropped DLL 1 IoCs

pid	Process
1648	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\usersint.exe	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
File opened for modification	C:\Windows\SysWOW64\usersint.exe	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1236	1572	usersint.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1572	usersint.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1572	1648	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	28
PID 1648 wrote to memory of 1572	1648	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	28
PID 1648 wrote to memory of 1572	1648	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	28
PID 1648 wrote to memory of 1572	1648	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	28
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29
PID 1572 wrote to memory of 1236	1572	usersint.exe	29

C:\Users\Admin\AppData\Local\Temp\f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe"
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\usersint.exe
  "C:\Windows\system32\usersint.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\userinit.exe
    "C:\Windows\system32\userinit.exe"
    3⤵
    PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
memory/1236-65-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-74-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-77-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-79-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1236-81-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-86-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1648-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1648-59-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing