c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56

General

Target

c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
Size

89KB
MD5

e982f8207670946d5bcc18581caf6e89
SHA1

003881e35f529faaa485e42d78ebd889674412cb
SHA256

c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56
SHA512

d9814a9176c27e48d42258b1e615ddc94c68dbc6fc901c19e2d992b6333f2c803eda8ef8506ab997115af0b507ee5aae1ef5c52f261e02ff4df072e0b8700e3d
SSDEEP

1536:ARFtqMnrgUfv0L6p326kF3CBg72dxNGgSuoCswHW:AflpECBk23UgSuEw2

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1748	512506946C42AC.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe

Loads dropped DLL 3 IoCs

pid	Process
1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
1748	512506946C42AC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\512506946C42AC = "C:\\ProgramData\\512506946C42AC\\512506946C42AC.exe"	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\512506946C42AC = "C:\\ProgramData\\512506946C42AC\\512506946C42AC.exe"	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1816	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	512506946C42AC.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	512506946C42AC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	512506946C42AC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1748	512506946C42AC.exe
1748	512506946C42AC.exe
1748	512506946C42AC.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1584 wrote to memory of 1748	1584	c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe	26
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1816	1748	512506946C42AC.exe	28
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30
PID 1748 wrote to memory of 1640	1748	512506946C42AC.exe	30

C:\Users\Admin\AppData\Local\Temp\c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe
"C:\Users\Admin\AppData\Local\Temp\c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56.exe"
1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\ProgramData\512506946C42AC\512506946C42AC.exe
  C:\ProgramData\512506946C42AC\512506946C42AC.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns && ipconfig /renew
    3⤵
    - Gathers network information
    PID:1816
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\512506946C42AC\512506946C42AC.exe

Filesize
89KB

MD5
e982f8207670946d5bcc18581caf6e89

SHA1
003881e35f529faaa485e42d78ebd889674412cb

SHA256
c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56

SHA512
d9814a9176c27e48d42258b1e615ddc94c68dbc6fc901c19e2d992b6333f2c803eda8ef8506ab997115af0b507ee5aae1ef5c52f261e02ff4df072e0b8700e3d

Download Submit
C:\ProgramData\512506946C42AC\512506946C42AC.exe

Filesize
89KB

MD5
e982f8207670946d5bcc18581caf6e89

SHA1
003881e35f529faaa485e42d78ebd889674412cb

SHA256
c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56

SHA512
d9814a9176c27e48d42258b1e615ddc94c68dbc6fc901c19e2d992b6333f2c803eda8ef8506ab997115af0b507ee5aae1ef5c52f261e02ff4df072e0b8700e3d

Download Submit
\ProgramData\512506946C42AC\512506946C42AC.exe

Filesize
89KB

MD5
e982f8207670946d5bcc18581caf6e89

SHA1
003881e35f529faaa485e42d78ebd889674412cb

SHA256
c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56

SHA512
d9814a9176c27e48d42258b1e615ddc94c68dbc6fc901c19e2d992b6333f2c803eda8ef8506ab997115af0b507ee5aae1ef5c52f261e02ff4df072e0b8700e3d

Download Submit
\ProgramData\512506946C42AC\512506946C42AC.exe

Filesize
89KB

MD5
e982f8207670946d5bcc18581caf6e89

SHA1
003881e35f529faaa485e42d78ebd889674412cb

SHA256
c33c1ff223a1559d988803a84fe0973c56362782ff36134398c8ffafb5efcd56

SHA512
d9814a9176c27e48d42258b1e615ddc94c68dbc6fc901c19e2d992b6333f2c803eda8ef8506ab997115af0b507ee5aae1ef5c52f261e02ff4df072e0b8700e3d

Download Submit
\Users\Admin\AppData\Roaming\twain.dll

Filesize
3KB

MD5
e9032dac10fb27acfa89c3357fad86b3

SHA1
1623843e0d369c9911989c0730a6470c22dd60fd

SHA256
9de0bb4cb8a79f575da4dbc86cedb6a9ef8d94c0b176fd4690b9b7ffee078391

SHA512
70e663ad1e87832673f7140aca20dcd3db46c256b91f2924e7a9e1ab24a295d432b625fdcc53b1f3bbc84f91390190e4bd483da5285f95ed0316be09b2b82004

Download Submit
memory/1584-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1584-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads