a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98

General

Target

a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
Size

1.1MB
MD5

753beed5c8ef36a4f9974bb5ed154c2e
SHA1

b88685813f147997e9a39f7771bf4efb8bbbf257
SHA256

a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98
SHA512

081a5dab5f68aa18d56451d2e3e3011dc89087dd450e4b6617443577658a0985e3e21fd597e015c5c5c6aeebf7a8e38c2a04d3dbf292f4b46ddc49ab42bedcca
SSDEEP

24576:JkjHSN59ngsR+PEIzzamL1472ex/Fbl2DPpoUX:JuinF+sIHlDI5YDqu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	svchost.exe
1752	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1752	1744	svchost.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2016	reg.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2016	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	27
PID 2040 wrote to memory of 2016	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	27
PID 2040 wrote to memory of 2016	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	27
PID 2040 wrote to memory of 2016	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	27
PID 2040 wrote to memory of 1744	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	29
PID 2040 wrote to memory of 1744	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	29
PID 2040 wrote to memory of 1744	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	29
PID 2040 wrote to memory of 1744	2040	a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe	29
PID 1744 wrote to memory of 1752	1744	svchost.exe	30
PID 1744 wrote to memory of 1752	1744	svchost.exe	30
PID 1744 wrote to memory of 1752	1744	svchost.exe	30
PID 1744 wrote to memory of 1752	1744	svchost.exe	30
PID 1744 wrote to memory of 1752	1744	svchost.exe	30
PID 1744 wrote to memory of 1752	1744	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe
"C:\Users\Admin\AppData\Local\Temp\a9c96b1703cb39684207a675bf3af295faed1f8d27eb51b312c9cb19b57cbc98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2016
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
17b27756f4fec5d202d660d2caccd7d3

SHA1
69499864ea1d954b7b7c835bb2fe520249fe145e

SHA256
49dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14

SHA512
4141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
17b27756f4fec5d202d660d2caccd7d3

SHA1
69499864ea1d954b7b7c835bb2fe520249fe145e

SHA256
49dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14

SHA512
4141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
17b27756f4fec5d202d660d2caccd7d3

SHA1
69499864ea1d954b7b7c835bb2fe520249fe145e

SHA256
49dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14

SHA512
4141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
17b27756f4fec5d202d660d2caccd7d3

SHA1
69499864ea1d954b7b7c835bb2fe520249fe145e

SHA256
49dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14

SHA512
4141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
17b27756f4fec5d202d660d2caccd7d3

SHA1
69499864ea1d954b7b7c835bb2fe520249fe145e

SHA256
49dde38f106e92e79c75d96244df9a34755fe40c7d213ddbdd86f81173b22b14

SHA512
4141d59907975201f21774d972b80e53c3053b6f13675f1a1a24b64eecf32724c724a52334e55969a602ce90686ee0d3b6b1c21b17c3e3ef7ce6f375efeabb17

Download Submit
memory/1752-62-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1752-64-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1752-67-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1752-69-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1752-70-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1752-71-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2040-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads