23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b

General

Target

23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe
Size

6.4MB
MD5

0bba108e8634e1ba0c9c89e081581fe9
SHA1

b656092c5cae1e2621316d357cdf132c386bb11d
SHA256

23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b
SHA512

aaf40d6154d0a7d134530f51cce0e354e81e36a9726486b88c02b2bc098daf03f95fe5ad9e65cf64faa288e0e05686285c3b1bab0146d2e9aab5908b6af348d8
SSDEEP

196608:fqHgPs2e0666VdVF/wAj7EsfK4iOevZxbubx3BZ:fqAhe0OVjVLj7EsUnHKx3j

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1660	ll8kll8k.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ALXO\ImagePath = "C:\\ProgramData\\Jiid\\Owoy.exe"	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe

Loads dropped DLL 4 IoCs

pid	Process
848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe
1660	ll8kll8k.exe
1660	ll8kll8k.exe
1660	ll8kll8k.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	ll8kll8k.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	ll8kll8k.exe
1660	ll8kll8k.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 848 wrote to memory of 1308	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	28
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 1308 wrote to memory of 1224	1308	Net.exe	30
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31
PID 848 wrote to memory of 1660	848	23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe	31

C:\Users\Admin\AppData\Local\Temp\23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe
"C:\Users\Admin\AppData\Local\Temp\23462359b5dd06b04ba7177fab005965dc7ce0df9d12e5650e4754de758aed4b.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1224
- C:\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe
  C:\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
\Users\Admin\AppData\Local\Temp\g8C582\ll8kll8k.exe

Filesize
4.5MB

MD5
ee6a584a57c2cab4ecb9cbb170336190

SHA1
2908a67d4239f77efe96dc9ae97fa23fe8c6a95d

SHA256
dcd4ddf3d20e959ed2ae3328e818c14fef63605b8178905d15269cfe8a53cf04

SHA512
f198183e0ff400a6a87318afe30ac0132097e38684cd345eb7f6b407ea121270169c0bfd94b0f35710d70e3b459c78e2557e7011d788d0b0a76774ca8ee50c00

Download Submit
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads