847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

General

Target

847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe
Size

878KB
MD5

6eb796dff32db9ecc27de7d11e2a0b9b
SHA1

382bd667254ea0f388492df58b5c09746aa48adc
SHA256

847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844
SHA512

563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036
SSDEEP

12288:545lsk3cppypFgcBcF6gUmbMrWEBD24uX0gAb+yKI09ZgP5qEsPtRac5Mbk2hEV+:5454ppE7MICQMX0gskCvWzac8lhEV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
656	50539545.exe

Deletes itself 1 IoCs

pid	Process
752	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
752	cmd.exe
752	cmd.exe
656	50539545.exe
656	50539545.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844 = "\"C:\\Users\\Admin\\AppData\\Local\\50539545.exe\" 0 33 "	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	50539545.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\50539545 = "\"C:\\Users\\Admin\\AppData\\Local\\50539545.exe\" 0 25 "	50539545.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
432	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
656	50539545.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe
656	50539545.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 752	1776	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe	28
PID 1776 wrote to memory of 752	1776	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe	28
PID 1776 wrote to memory of 752	1776	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe	28
PID 1776 wrote to memory of 752	1776	847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe	28
PID 752 wrote to memory of 432	752	cmd.exe	30
PID 752 wrote to memory of 432	752	cmd.exe	30
PID 752 wrote to memory of 432	752	cmd.exe	30
PID 752 wrote to memory of 432	752	cmd.exe	30
PID 752 wrote to memory of 656	752	cmd.exe	31
PID 752 wrote to memory of 656	752	cmd.exe	31
PID 752 wrote to memory of 656	752	cmd.exe	31
PID 752 wrote to memory of 656	752	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe
"C:\Users\Admin\AppData\Local\Temp\847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\87336145.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844 /f
    3⤵
    - Modifies registry key
    PID:432
- - C:\Users\Admin\AppData\Local\50539545.exe
    C:\Users\Admin\AppData\Local\50539545.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
C:\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
C:\Users\Admin\AppData\Local\Temp\87336145.bat

Filesize
458B

MD5
93b14f8f3b148fe029f3e5e6f7aad28d

SHA1
bd2785945f42db476a3960b9cda66aa89c8c8860

SHA256
45744c44f32fb1801a42c7dc77430d1f9df84607b5f30e8400fc931147bbfa45

SHA512
6e489303821c67d7775dedc036140ada4294c848ab0a5dafac5bea2f61d4823bb1d521b45b896162de50b66fd450c6925dd699b2f7c0ad49a086f993cb175889

Download Submit
\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
\Users\Admin\AppData\Local\50539545.exe

Filesize
878KB

MD5
6eb796dff32db9ecc27de7d11e2a0b9b

SHA1
382bd667254ea0f388492df58b5c09746aa48adc

SHA256
847350d19a2aff63910b41755ab2efc6b503a79f49939535de78fd9e2b987844

SHA512
563bb538f73de9d46d162960b4e74dc4735708f7e977f68d11fa65f2a4fbec6e76b3d52def5a9c02de5e47096aad9e11aa0f39e48693b3024062b2e2585df036

Download Submit
memory/656-67-0x00000000002B0000-0x0000000000348000-memory.dmp

Filesize
608KB

Download
memory/656-70-0x0000000001000000-0x0000000001439FF9-memory.dmp

Filesize
4.2MB

Download
memory/656-72-0x0000000001000000-0x0000000001439FF9-memory.dmp

Filesize
4.2MB

Download
memory/1776-56-0x0000000000230000-0x00000000002C8000-memory.dmp

Filesize
608KB

Download
memory/1776-54-0x0000000000230000-0x00000000002C8000-memory.dmp

Filesize
608KB

Download
memory/1776-55-0x0000000001000000-0x0000000001439FF9-memory.dmp

Filesize
4.2MB

Download
memory/1776-57-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1776-59-0x0000000001000000-0x0000000001439FF9-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads