d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4

General

Target

d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe
Size

283KB
MD5

2efea9596045641712926fe29260bb80
SHA1

643f26d24bb53a8975d73b7ba56614eb9bab86e0
SHA256

d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4
SHA512

84854e8ea56badb6919e6ac829798a6d81da5653ca0714dd95ffd183e8df76972542c7e3097077b313ce7ea5f15533a983c391988a7e6fe0b85b78afa8b15875
SSDEEP

6144:vu2urzh9xu/XkauCCE6mm1zt6KoscnB5Aru9vAC68Vu1OQ:vutrzh9xOXkE/m1zEKoscB5Ay9oCM1F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1472	directx86.exe
1112	directx86.exe

Loads dropped DLL 3 IoCs

pid	Process
1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe
1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe
1472	directx86.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	directx86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\directx86.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\directx86.exe"	directx86.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 1112	1472	directx86.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1472	directx86.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1504 wrote to memory of 1472	1504	d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe	26
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27
PID 1472 wrote to memory of 1112	1472	directx86.exe	27

C:\Users\Admin\AppData\Local\Temp\d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe
"C:\Users\Admin\AppData\Local\Temp\d7959c8cb6f50710a5164c32bc34ebff0c5849f716384b5efdaec69d93a114e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\directx86.exe
  "C:\Users\Admin\AppData\Local\Temp\directx86.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\directx86.exe
    "C:\Users\Admin\AppData\Local\Temp\directx86.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\npb32.pas

Filesize
32B

MD5
9c251bb52629b2da80ebaa3c62893b28

SHA1
5cc862d85e9e47216c714b871d5e3d42fd346925

SHA256
c673a980644737fba19db26e4216e9965b3db5932ee8f71c9688ca3069ebd073

SHA512
f41fbc6cdce9d5697751396ab6af53273d0a50a68331af89cd8275652ef28433341ee54eebeaf31cfb03de6562952b86b1ad70a90c5de8c79510cb1791f111a8

Download Submit
\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
\Users\Admin\AppData\Local\Temp\directx86.exe

Filesize
788KB

MD5
ca46170ed65aaad260c6d5f3ac620f81

SHA1
975404e16f8d537c97cdb41783bd34da177311c1

SHA256
0582a9499ba0a27440d1dd44f99d209c78d0335d1b559b7a2761d1932d9a756b

SHA512
120fb157a3a297351acf951b6a5a8a14da77d146582a2ff1606cd9c94a3221a75df3f27a47181244e9c3be952bd7fbc4010ef08f348038002fb41c9a1f3c9d7c

Download Submit
memory/1112-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1112-78-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1472-62-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1472-73-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing