2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7

General

Target

2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
Size

662KB
MD5

cd642c5f2839697b4a5e08627cbf6f9b
SHA1

dff5b04da6edc740e4ba82cfba45afe22d08c7c4
SHA256

2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7
SHA512

942b2cfcf43308a972834ff2062cac4413cf071aa5f33eba6cf28fd8ce818e3bbab4d315945d6e553db76b6251b0ee7e21b0a71a0ad9e404ade6a660d798f186
SSDEEP

12288:z37h6cT888888888888W88888888888tO+Lp36ABo8YUoYBWzWgdutXsdTgKjtj0:j7hZel6WzWgduyJgKjTbOV6+YPa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2600	adinstall.exe
3896	adinstall.tmp
448	metablogagent.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MetablogNewIssues = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\MetablogNewIssues.exe /byboot"	adinstall.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metablogagent = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\metablogagent.exe"	adinstall.tmp
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	adinstall.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4816	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
448	metablogagent.exe
448	metablogagent.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2600	4816	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	84
PID 4816 wrote to memory of 2600	4816	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	84
PID 4816 wrote to memory of 2600	4816	2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe	84
PID 2600 wrote to memory of 3896	2600	adinstall.exe	87
PID 2600 wrote to memory of 3896	2600	adinstall.exe	87
PID 2600 wrote to memory of 3896	2600	adinstall.exe	87
PID 3896 wrote to memory of 448	3896	adinstall.tmp	89
PID 3896 wrote to memory of 448	3896	adinstall.tmp	89
PID 3896 wrote to memory of 448	3896	adinstall.tmp	89

C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe
"C:\Users\Admin\AppData\Local\Temp\2e4bcc2ab40030695c9d2c0973f64d17b53e9ec26dea245f7c5af426325982b7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe
  C:\Users\Admin\AppData\Local\Temp\\adm\adinstall.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp" /SL5="$A004E,257361,138240,C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe
      "C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe" /install
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
ab870789508865d907b4868890b299de

SHA1
59337bc37f47298d27d1a33441b3aa753d2581a9

SHA256
6a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2

SHA512
13646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200

Download Submit
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
ab870789508865d907b4868890b299de

SHA1
59337bc37f47298d27d1a33441b3aa753d2581a9

SHA256
6a77411d27b031b57769df1832a69a905397da8b2a07435d36ec7ceb57171af2

SHA512
13646c8148198368d3a14d78d288df46a9d5c97575e5881067cafa10617e9c5d51680f3706555181672686e06bd91d6c64ebd346af1bb8854b7877d52b60b200

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-41EB1.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
memory/2600-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2600-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2600-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2600-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing