e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b

General

Target

e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe
Size

58KB
MD5

9b70b385041c21d6862cddbdd4602140
SHA1

07ff685e2d8ff6d973ed76bfb5646e5535ebc5f7
SHA256

e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b
SHA512

310eb2bdafc2007ac57f48ff78cb844c9be1b758bc553e8f59954e055aed0619898ada83827e6a22b0e55bef2a19e9ac130257a9337cff6b7408ebe6fe25a64a
SSDEEP

1536:xuAjwXIgMVUPXAjBX1b1kVvigcrPSsZPzP:xgMUXANJ24lj

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dwm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dwm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dwm.exe

Executes dropped EXE 2 IoCs

pid	Process
3468	dwm.exe
3472	dwm.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\dwm.exe	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe
File opened for modification	C:\Windows\system\dwm.exe	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3344	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe
2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3344	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	83
PID 2248 wrote to memory of 3344	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	83
PID 2248 wrote to memory of 3344	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	83
PID 2248 wrote to memory of 3468	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	87
PID 2248 wrote to memory of 3468	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	87
PID 2248 wrote to memory of 3468	2248	e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe	87

C:\Users\Admin\AppData\Local\Temp\e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe
"C:\Users\Admin\AppData\Local\Temp\e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\sc.exe
  sc delete darkness
  2⤵
  - Launches sc.exe
  PID:3344
- C:\Windows\system\dwm.exe
  "C:\Windows\system\dwm.exe" /start
  2⤵
  - Executes dropped EXE
  PID:3468

C:\Windows\system\dwm.exe
C:\Windows\system\dwm.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\dwm.exe

Filesize
58KB

MD5
9b70b385041c21d6862cddbdd4602140

SHA1
07ff685e2d8ff6d973ed76bfb5646e5535ebc5f7

SHA256
e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b

SHA512
310eb2bdafc2007ac57f48ff78cb844c9be1b758bc553e8f59954e055aed0619898ada83827e6a22b0e55bef2a19e9ac130257a9337cff6b7408ebe6fe25a64a

Download Submit
C:\Windows\System\dwm.exe

Filesize
58KB

MD5
9b70b385041c21d6862cddbdd4602140

SHA1
07ff685e2d8ff6d973ed76bfb5646e5535ebc5f7

SHA256
e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b

SHA512
310eb2bdafc2007ac57f48ff78cb844c9be1b758bc553e8f59954e055aed0619898ada83827e6a22b0e55bef2a19e9ac130257a9337cff6b7408ebe6fe25a64a

Download Submit
C:\Windows\system\dwm.exe

Filesize
58KB

MD5
9b70b385041c21d6862cddbdd4602140

SHA1
07ff685e2d8ff6d973ed76bfb5646e5535ebc5f7

SHA256
e17512e7361167f13914116399d133338b237ac9c906f36fd5fea98f3296519b

SHA512
310eb2bdafc2007ac57f48ff78cb844c9be1b758bc553e8f59954e055aed0619898ada83827e6a22b0e55bef2a19e9ac130257a9337cff6b7408ebe6fe25a64a

Download Submit
memory/2248-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing