cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3

General

Target

cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe
Size

507KB
MD5

aa644e4ba71f99c7ab5d622a26f95d73
SHA1

857d5aed4e0db38460bb27a99dcd0ed602ae5d91
SHA256

cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3
SHA512

ab3a4d387a92c61731317394bdb8c14ce5160e6211ab892f30973ab28d8198102da8de37fa6283492b4adfa495bb108de032c540d546e195da67102d9e1800e5
SSDEEP

6144:PUrqA3AheuswyPnsfbRoTUvF8GBKcBfq2qJYCh5Flpo/u:PUWA3AheuswyU5vaGLf7qJb7po/u

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe
1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\Application Data\\Adobe\\reader_sl.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1184	AcroRd32.exe
1184	AcroRd32.exe
1184	AcroRd32.exe
1184	AcroRd32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1380	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	27
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1060 wrote to memory of 1184	1060	cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe	28
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29
PID 1380 wrote to memory of 2004	1380	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe
"C:\Users\Admin\AppData\Local\Temp\cfe78702781aad83f03ac8d4c475561f990e4b33a4688301f3c2d729a8f6fbe3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /d "C:\Users\Admin\Application Data\Adobe\reader_sl.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2004
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1206.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1206.pdf

Filesize
148KB

MD5
4bacd0d1ccd599afee9bf387199da79a

SHA1
07937a11930bb7dca52caed529706ced320431e5

SHA256
1673398cbf0597a914bccb491458d16c3941fc729f9b0f558f9a2a8a998f98e8

SHA512
99f5e28a4acfbdd1f36ff21094df9a3ecbbf4b1de2ff536a449ca370135fa45da3cb9c2144f247e34f5037165e16b31976f7343364a54cb3126f8a9e02dec75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
8KB

MD5
0edda97120f308402b2aa96ad4efa91c

SHA1
a216d99058a13c94ba0e9d87ede846e6ed8b665d

SHA256
ea70f7606d4565af4f06f0c3760cbde976976939cab63c4be8b51ca2c0888e15

SHA512
ecff665d539f62aca094bdf5ee53e0f666d5b95e185f37cfec83934c8231208031de1fc951b190179f4b30aa2deb08a3c19a88f16cdb339e3c357c3a954ac2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
8KB

MD5
0edda97120f308402b2aa96ad4efa91c

SHA1
a216d99058a13c94ba0e9d87ede846e6ed8b665d

SHA256
ea70f7606d4565af4f06f0c3760cbde976976939cab63c4be8b51ca2c0888e15

SHA512
ecff665d539f62aca094bdf5ee53e0f666d5b95e185f37cfec83934c8231208031de1fc951b190179f4b30aa2deb08a3c19a88f16cdb339e3c357c3a954ac2a6

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
8KB

MD5
0edda97120f308402b2aa96ad4efa91c

SHA1
a216d99058a13c94ba0e9d87ede846e6ed8b665d

SHA256
ea70f7606d4565af4f06f0c3760cbde976976939cab63c4be8b51ca2c0888e15

SHA512
ecff665d539f62aca094bdf5ee53e0f666d5b95e185f37cfec83934c8231208031de1fc951b190179f4b30aa2deb08a3c19a88f16cdb339e3c357c3a954ac2a6

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
8KB

MD5
0edda97120f308402b2aa96ad4efa91c

SHA1
a216d99058a13c94ba0e9d87ede846e6ed8b665d

SHA256
ea70f7606d4565af4f06f0c3760cbde976976939cab63c4be8b51ca2c0888e15

SHA512
ecff665d539f62aca094bdf5ee53e0f666d5b95e185f37cfec83934c8231208031de1fc951b190179f4b30aa2deb08a3c19a88f16cdb339e3c357c3a954ac2a6

Download Submit
memory/1060-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1184-61-0x0000000000000000-mapping.dmp

Download
memory/1380-57-0x0000000000000000-mapping.dmp

Download
memory/2004-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing