a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a

General

Target

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe
Size

95KB
MD5

51b4f33d3a13403c2f2f60b02fe127e2
SHA1

788b7c1ae6e2d67497c4f2f1212166bf2717a4f7
SHA256

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a
SHA512

77b5a01ccc61774d945d67f4fd9c6f0d166614f7d731d1833d8c568b5f6938d9d1464746f94d118ef85c873aa487c1a0641242096516486c8a7bba9fa05efa00
SSDEEP

1536:9YBlPPC+5+OI7lFvHJkoEEEESvhhGz8cgKdmDOy3s8aS+GaS+y/8VQQjTqdwrP1q:9YBx5+hFvpQhKdq881/17/aTjTqarP1q

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SkypePM.exe

pid process

1888 SkypePM.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

592 cmd.exe

pid	process
1888	SkypePM.exe

pid	process
592	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe

pid	process
1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe
1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SkypePM = "C:\\Users\\Admin\\AppData\\Local\\Skype\\SkypePM.exe"	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of UnmapMainImage 2 IoCs

Processes:

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exeSkypePM.exe

pid process

1168 a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe
1888 SkypePM.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe

description	pid	process	target process
PID 1168 wrote to memory of 592	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	cmd.exe
PID 1168 wrote to memory of 592	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	cmd.exe
PID 1168 wrote to memory of 592	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	cmd.exe
PID 1168 wrote to memory of 592	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	cmd.exe
PID 1168 wrote to memory of 1888	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	SkypePM.exe
PID 1168 wrote to memory of 1888	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	SkypePM.exe
PID 1168 wrote to memory of 1888	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	SkypePM.exe
PID 1168 wrote to memory of 1888	1168	a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe	SkypePM.exe

C:\Users\Admin\AppData\Local\Temp\a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe
"C:\Users\Admin\AppData\Local\Temp\a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
2⤵
- Deletes itself
PID:592

C:\Users\Admin\AppData\Local\Skype\SkypePM.exe
"C:\Users\Admin\AppData\Local\Skype\SkypePM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Skype\SkypePM.exe
Filesize
95KB

MD5
51b4f33d3a13403c2f2f60b02fe127e2

SHA1
788b7c1ae6e2d67497c4f2f1212166bf2717a4f7

SHA256
a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a

SHA512
77b5a01ccc61774d945d67f4fd9c6f0d166614f7d731d1833d8c568b5f6938d9d1464746f94d118ef85c873aa487c1a0641242096516486c8a7bba9fa05efa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.bat
Filesize
195B

MD5
2ac64a1f59b64e8d062aa5153b22c0e8

SHA1
aedf6c86d6d0d8711c624656f44ca596f6947c3e

SHA256
25ed024c191fa9df66b819cde9df44e3d27709d15827cc22415ed7da0220ad05

SHA512
a0e055c86d6a38d5e9600a38a1b7037192f1254df92d7eac74c0acc67643c2b360271928537f45aec333f9a8990893f3d259bba93f66e98d7cc55d8d932509fb

Download Submit
\Users\Admin\AppData\Local\Skype\SkypePM.exe
Filesize
95KB

MD5
51b4f33d3a13403c2f2f60b02fe127e2

SHA1
788b7c1ae6e2d67497c4f2f1212166bf2717a4f7

SHA256
a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a

SHA512
77b5a01ccc61774d945d67f4fd9c6f0d166614f7d731d1833d8c568b5f6938d9d1464746f94d118ef85c873aa487c1a0641242096516486c8a7bba9fa05efa00

Download Submit
\Users\Admin\AppData\Local\Skype\SkypePM.exe
Filesize
95KB

MD5
51b4f33d3a13403c2f2f60b02fe127e2

SHA1
788b7c1ae6e2d67497c4f2f1212166bf2717a4f7

SHA256
a9fd3c4ad086d2a5d0584f22ed2f6187c7003d7520ab677e4cf93507ed31624a

SHA512
77b5a01ccc61774d945d67f4fd9c6f0d166614f7d731d1833d8c568b5f6938d9d1464746f94d118ef85c873aa487c1a0641242096516486c8a7bba9fa05efa00

Download Submit
memory/592-58-0x0000000000000000-mapping.dmp

Download
memory/1168-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1168-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1168-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-55-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/1168-56-0x0000000000260000-0x000000000027A000-memory.dmp

Filesize
104KB

Download
memory/1888-61-0x0000000000000000-mapping.dmp

Download
memory/1888-66-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/1888-67-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1888-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1888-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads