d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656

General

Target

d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe
Size

1.4MB
MD5

b428e5d6f582edeccd49c4a8a42449f8
SHA1

f9ea1edee886d38e5543e2d98221ba87fea3a514
SHA256

d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656
SHA512

970e9127c17ed87f73782de129baeb144602f16d93cc21189f9faae36aaa7ac29f311443d4f88eb6e48347bebaa739b937263a728c690fcf74756b7faf81ca0f
SSDEEP

24576:ZAYKY2GH6W0vXJccTACK5nSc61JtDlxnIvL0nEG5a7sR+y2rr71Z8xxn7F9AurMK:ZAJY9s5/Ann0JWLAEpy2rr71k7FKuruy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
900	explorer.exe
560	wins.exe
1920	wins.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe
900	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\SYSTEM~1\AppData\Local\WINDOW~1\QUERIE~1.CAC	wins.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe	explorer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\queries-02.cache	wins.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\crutch	wins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\crutch\LocalService = "Windows Internet Name Service"	wins.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1920	wins.exe
1920	wins.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 900	1972	d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe	28
PID 1972 wrote to memory of 900	1972	d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe	28
PID 1972 wrote to memory of 900	1972	d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe	28
PID 1972 wrote to memory of 900	1972	d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe	28
PID 900 wrote to memory of 560	900	explorer.exe	29
PID 900 wrote to memory of 560	900	explorer.exe	29
PID 900 wrote to memory of 560	900	explorer.exe	29
PID 900 wrote to memory of 560	900	explorer.exe	29

C:\Users\Admin\AppData\Local\Temp\d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe
"C:\Users\Admin\AppData\Local\Temp\d3bdc82b9dac56c0c627a57095b8acfc96753e5df4849b2cf7949f44cb9e5656.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
    "C:\Windows\system32\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe" /Service
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:560

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe
"C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\explorer.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
\Windows\SysWOW64\config\systemprofile\AppData\Local\Windows Internet Name Service\wins.exe

Filesize
5.1MB

MD5
53772d0e0aa23e5cc43f405d8d846b27

SHA1
e00c2ef1cec31aec62a2a6ef4eb980382315df51

SHA256
ee49c1a2c59ecaa31c2ea92f89e3b83f8edd88e713054d2278aab89821381f88

SHA512
a6ddb1c7147c5776ce88025e44d64b0228857223dc06f82948c00bcef89c4217083e229385796c49783487a0f9f14bc68bb44a90500927381cb1b261f9fdf581

Download Submit
memory/1972-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing