97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d

General

Target

97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Size

468KB
MD5

05ce81c0453d25f9521cbaf7cf3207f0
SHA1

78546c0f10a98114c0bfa9e3af4a468f8b9e10fc
SHA256

97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d
SHA512

2223aff5627a7b89dbc359a3210c1ec076cc326846cab3a42e26788fc721f04d0aaace6da5bafcfb77f77ae7cd65297552d583cf2fb96a627b7738190ba97cfc
SSDEEP

3072:o18SouhTTtfiCXl+0LbLuO5aYd/5q6rsg2ZaZ/VuXQMul6mdoCom9QEst3FmcSDQ:e8Yd4iaYd/5EkhTlBy3Fmco

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{mCZHeGdd-MGXQ-Ukk4-fvKF-QbdYicFxzaFW}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1340-58-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1340-60-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1340-61-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1340-66-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1340-67-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1536-70-0x0000000000370000-0x00000000003F7000-memory.dmp	upx
behavioral1/memory/1340-71-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1340-74-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TYWHvBYzBXR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\QYSRQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BZ8YL.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Hosting Service Login = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 1340	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	27
PID 1536 wrote to memory of 944	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	28
PID 1536 wrote to memory of 944	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	28
PID 1536 wrote to memory of 944	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	28
PID 1536 wrote to memory of 944	1536	97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe	28

C:\Users\Admin\AppData\Local\Temp\97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
"C:\Users\Admin\AppData\Local\Temp\97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
  C:\Users\Admin\AppData\Local\Temp\97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d.exe
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fy6aw2ESq8.bat" "
  2⤵
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BZ8YL.exe

Filesize
468KB

MD5
05ce81c0453d25f9521cbaf7cf3207f0

SHA1
78546c0f10a98114c0bfa9e3af4a468f8b9e10fc

SHA256
97fdbfd400c28d3b83aa3d2b99a000f1c808115b2568fe47bba58e98425e2b6d

SHA512
2223aff5627a7b89dbc359a3210c1ec076cc326846cab3a42e26788fc721f04d0aaace6da5bafcfb77f77ae7cd65297552d583cf2fb96a627b7738190ba97cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fy6aw2ESq8.bat

Filesize
396B

MD5
0f46f9e1c6e925627d32650a2e37e52c

SHA1
c310fb3e5ef6e1422dc6313a42de91a06fe69dc0

SHA256
2d03be9a45fded458c60f6db1467953edccc9f23e6d374f53bfbdf5c4fd99016

SHA512
1e21c90759787c59b299764867097c4b9d1ae4916ce86228c95c7795ea67d55fd34a9a90ac8154ee9ee28fa80f25239b6af5149e9d4fb5c1bdbb4a547c2470a2

Download Submit
memory/1340-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1340-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1536-63-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1536-54-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-70-0x0000000000370000-0x00000000003F7000-memory.dmp

Filesize
540KB

Download
memory/1536-73-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads