7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995

General

Target

7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe
Size

104KB
MD5

20929196f554c649d332980f24692ef7
SHA1

44c9f272a74794f1d1b27a7476fd79e5ec9fdc10
SHA256

7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995
SHA512

8dbc7fb467749f79a4191c8bb24950232905b4f22b8faab5b87a268cea7df307f6cd39a8011301bfcd4ed820bc2f32270f039e36a19e5b4bbdef9993229405fb
SSDEEP

3072:jE+HkRVn3fjKuaujqJ0geyhc4N73lTpU:zkXK6O0dyT7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe

Modifies Windows Firewall 1 TTPs 5 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1052	netsh.exe
528	netsh.exe
1104	netsh.exe
1924	netsh.exe
320	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mousedriver.exe	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\engel = "C:\\Users\\Admin\\AppData\\Roaming\\updates\\updates.exe"	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\DHCP = "1636935"	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\DNS	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1052	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	28
PID 1792 wrote to memory of 1052	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	28
PID 1792 wrote to memory of 1052	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	28
PID 1792 wrote to memory of 1052	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	28
PID 1792 wrote to memory of 528	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	30
PID 1792 wrote to memory of 528	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	30
PID 1792 wrote to memory of 528	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	30
PID 1792 wrote to memory of 528	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	30
PID 1792 wrote to memory of 1104	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	32
PID 1792 wrote to memory of 1104	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	32
PID 1792 wrote to memory of 1104	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	32
PID 1792 wrote to memory of 1104	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	32
PID 1792 wrote to memory of 1924	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	34
PID 1792 wrote to memory of 1924	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	34
PID 1792 wrote to memory of 1924	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	34
PID 1792 wrote to memory of 1924	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	34
PID 1792 wrote to memory of 320	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	36
PID 1792 wrote to memory of 320	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	36
PID 1792 wrote to memory of 320	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	36
PID 1792 wrote to memory of 320	1792	7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe	36

C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe
"C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
1⤵
- Modifies firewall policy service
- Drops startup file
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1052
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
  2⤵
  - Modifies Windows Firewall
  PID:528
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1104
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1924
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\7a7109fbc1c67f808e7e3e40cfdc18646063e1762a5edaec94c6a03dd907c995.exe"
  2⤵
  - Modifies Windows Firewall
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1792-55-0x0000000000520000-0x000000000053D000-memory.dmp

Filesize
116KB

Download
memory/1792-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1792-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads