98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

General

Target

98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
Size

105KB
MD5

85e895f88c2221af4d2f086e1598cc97
SHA1

e97ec11b25c30dc94cce5e440252c7a6fbd016a3
SHA256

98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1
SHA512

a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae
SSDEEP

1536:F2gDm9Cg65AziTSZbKUFEb3G1N+aHBDdp3qx8amI:EsNQiTctEb3kHB76iM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\16750187-0001-1100245\svcsrv.exe = "C:\\Users\\Admin\\16750187-0001-1100245\\svcsrv.exe:*:Enabled:Microsoft® Windows System"	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe

Executes dropped EXE 2 IoCs

pid	Process
564	svcsrv.exe
1976	svcsrv.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows System = "C:\\Users\\Admin\\16750187-0001-1100245\\svcsrv.exe"	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 564 set thread context of 1976	564	svcsrv.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 2040 wrote to memory of 1972	2040	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	27
PID 1972 wrote to memory of 564	1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	28
PID 1972 wrote to memory of 564	1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	28
PID 1972 wrote to memory of 564	1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	28
PID 1972 wrote to memory of 564	1972	98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe	28
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29
PID 564 wrote to memory of 1976	564	svcsrv.exe	29

C:\Users\Admin\AppData\Local\Temp\98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
"C:\Users\Admin\AppData\Local\Temp\98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe
  "C:\Users\Admin\AppData\Local\Temp\98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\16750187-0001-1100245\svcsrv.exe
    "C:\Users\Admin\16750187-0001-1100245\svcsrv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Users\Admin\16750187-0001-1100245\svcsrv.exe
      "C:\Users\Admin\16750187-0001-1100245\svcsrv.exe"
      4⤵
      Executes dropped EXE
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\16750187-0001-1100245\svcsrv.exe

Filesize
105KB

MD5
85e895f88c2221af4d2f086e1598cc97

SHA1
e97ec11b25c30dc94cce5e440252c7a6fbd016a3

SHA256
98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

SHA512
a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae

Download Submit
C:\Users\Admin\16750187-0001-1100245\svcsrv.exe

Filesize
105KB

MD5
85e895f88c2221af4d2f086e1598cc97

SHA1
e97ec11b25c30dc94cce5e440252c7a6fbd016a3

SHA256
98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

SHA512
a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae

Download Submit
C:\Users\Admin\16750187-0001-1100245\svcsrv.exe

Filesize
105KB

MD5
85e895f88c2221af4d2f086e1598cc97

SHA1
e97ec11b25c30dc94cce5e440252c7a6fbd016a3

SHA256
98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

SHA512
a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae

Download Submit
\Users\Admin\16750187-0001-1100245\svcsrv.exe

Filesize
105KB

MD5
85e895f88c2221af4d2f086e1598cc97

SHA1
e97ec11b25c30dc94cce5e440252c7a6fbd016a3

SHA256
98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

SHA512
a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae

Download Submit
\Users\Admin\16750187-0001-1100245\svcsrv.exe

Filesize
105KB

MD5
85e895f88c2221af4d2f086e1598cc97

SHA1
e97ec11b25c30dc94cce5e440252c7a6fbd016a3

SHA256
98b069ee1ac97c95d69a120ca1801da9568283f643095db5679f3d6a134f31a1

SHA512
a272ff05d6c09ecb7e231bb7edd47d3c1e3dbf5485f8d360ba980c029c5b3900e65fd6082d27eaca5141270fba548a2cc254ff97a7463fe8f7a9fe6ac65044ae

Download Submit
memory/564-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1972-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-69-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-70-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/2040-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads