60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f

General

Target

60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
Size

50KB
MD5

d4791e6cbb9dff8dd92fbb3b1a42dda2
SHA1

7c3b0cba3a6a30bbe7baf399d76531a202146c05
SHA256

60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f
SHA512

ff0a6980a2f051df4c062692bf8839a8f8cbcd39ee598e50f121b0e6ec6e2fe60e7c4041a080bc578dc4630ca0d0a79cbd5da34977afd50de20c8bca35f3fa91
SSDEEP

768:V1QM9CFilbA7Oc5fpVZRYMMDHjvEX2nT+ipe8tDWU/LR2NBZpmjEJ+l8:xWi5AzfXYMMHY2nT+ipeYv2ND4x8

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\28717 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msoxow.exe"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msoxow.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4564	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	85
PID 3988 wrote to memory of 4564	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	85
PID 3988 wrote to memory of 4564	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	85
PID 3988 wrote to memory of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86
PID 3988 wrote to memory of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86
PID 3988 wrote to memory of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86
PID 3988 wrote to memory of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86
PID 3988 wrote to memory of 2880	3988	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	86
PID 2880 wrote to memory of 2288	2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	87
PID 2880 wrote to memory of 2288	2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	87
PID 2880 wrote to memory of 2288	2880	60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe	87

C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
"C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
  "C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe"
  2⤵
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe
  "C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Program Files directory
    PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f.exe

Filesize
50KB

MD5
d4791e6cbb9dff8dd92fbb3b1a42dda2

SHA1
7c3b0cba3a6a30bbe7baf399d76531a202146c05

SHA256
60e10543cd0be245209a8f3da1517790c5c0a1613b10b4145adc438e8f5ee47f

SHA512
ff0a6980a2f051df4c062692bf8839a8f8cbcd39ee598e50f121b0e6ec6e2fe60e7c4041a080bc578dc4630ca0d0a79cbd5da34977afd50de20c8bca35f3fa91

Download Submit
memory/2288-138-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2288-139-0x00000000005B0000-0x00000000005B5000-memory.dmp

Filesize
20KB

Download
memory/2288-140-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/2288-141-0x00000000004D0000-0x00000000004D5000-memory.dmp

Filesize
20KB

Download
memory/2880-134-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2880-137-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing