7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b

General

Target

7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe
Size

24.4MB
MD5

144c5cd8101ef0444e54b254882f8f4d
SHA1

a9921bcb46394f81cf4c3b424c0166930876af12
SHA256

7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b
SHA512

965c59061bb6b838939faceaac8a9ae1fecf5cea30b2a2d6af568dac1537ed191abb6da2d2de70d08cf3d97607c2b1a816bedab02e201b2718e3705f1d6243d0
SSDEEP

98304:ZMRqzs/LNPP9Xil+4JAv8clSVvf9M6a1lT5l4dIHh6QfW3D:S0zszdpObivXwt+64mdIbWT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
976	rjyzdssetup.exe

Loads dropped DLL 5 IoCs

pid	Process
288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe
976	rjyzdssetup.exe
976	rjyzdssetup.exe
976	rjyzdssetup.exe
976	rjyzdssetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rjyzdssetup = "C:\\Users\\Public\\Tlsiy\\Ifgm.exe /rjyzdssetup /{FA4E51E9-28EE-4B39-A241-0BBDE3B98B89}"	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral1/files/0x000900000001267a-59.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-59.dat	nsis_installer_2
behavioral1/files/0x000900000001267a-61.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-61.dat	nsis_installer_2
behavioral1/files/0x000900000001267a-64.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-64.dat	nsis_installer_2
behavioral1/files/0x000900000001267a-63.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-63.dat	nsis_installer_2
behavioral1/files/0x000900000001267a-66.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-66.dat	nsis_installer_2
behavioral1/files/0x000900000001267a-65.dat	nsis_installer_1
behavioral1/files/0x000900000001267a-65.dat	nsis_installer_2

Runs net.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 288 wrote to memory of 876	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	28
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 876 wrote to memory of 784	876	Net.exe	30
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31
PID 288 wrote to memory of 976	288	7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe	31

C:\Users\Admin\AppData\Local\Temp\7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe
"C:\Users\Admin\AppData\Local\Temp\7b893431eb68c5d126cfdc3d16563a90f84c2572f83b7bb06e785508a28a0b5b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:784
- C:\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe
  C:\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
\Users\Admin\AppData\Local\Temp\g8E85D\rjyzdssetup.exe

Filesize
2.5MB

MD5
49d2e7d1e9303b29834de271723a74c6

SHA1
caec16e970adf27b1dffab2d1b154567967dd288

SHA256
063393a914c407782325c85ae4a0c2cdf320802b561fa7f524bb85625251121f

SHA512
a93ea613aad63259321b098bc91b3735b04379ae039e7eae77e95b8ac7090f43e1934554b1912edf3dacabdfb7892de71d4c05b53bd33cd655025e51e592cc90

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF865.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
memory/288-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing