e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662

General

Target

e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe
Size

841KB
MD5

078e1b72d78867f00b575e43304c6770
SHA1

2312f5ca712c577ccf9a1e20699569a0ed53d0e7
SHA256

e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662
SHA512

7c7cbbc48cb3d646678f01ee0d56683db1396d70a47b18bc7bcc6b34f3cfc00bef995f451f8720dda37d71ca8f31a7104a9eda381467c799b3998ac5a57ae9ef
SSDEEP

24576:CqVk+j02nRENz5sEERIRLY+aPtul1aqr:CqVtREzKaY+aPYLaqr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	mldefender.exe

Loads dropped DLL 2 IoCs

pid	Process
952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe
952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	mldefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security = "C:\\ProgramData\\mldefender.exe"	mldefender.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	mldefender.exe
File opened (read-only)	\??\V:	mldefender.exe
File opened (read-only)	\??\W:	mldefender.exe
File opened (read-only)	\??\G:	mldefender.exe
File opened (read-only)	\??\J:	mldefender.exe
File opened (read-only)	\??\M:	mldefender.exe
File opened (read-only)	\??\N:	mldefender.exe
File opened (read-only)	\??\O:	mldefender.exe
File opened (read-only)	\??\E:	mldefender.exe
File opened (read-only)	\??\K:	mldefender.exe
File opened (read-only)	\??\L:	mldefender.exe
File opened (read-only)	\??\R:	mldefender.exe
File opened (read-only)	\??\Y:	mldefender.exe
File opened (read-only)	\??\I:	mldefender.exe
File opened (read-only)	\??\P:	mldefender.exe
File opened (read-only)	\??\Q:	mldefender.exe
File opened (read-only)	\??\S:	mldefender.exe
File opened (read-only)	\??\X:	mldefender.exe
File opened (read-only)	\??\F:	mldefender.exe
File opened (read-only)	\??\H:	mldefender.exe
File opened (read-only)	\??\T:	mldefender.exe
File opened (read-only)	\??\Z:	mldefender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mldefender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe
540	mldefender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
540	mldefender.exe
540	mldefender.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 540	952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe	28
PID 952 wrote to memory of 540	952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe	28
PID 952 wrote to memory of 540	952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe	28
PID 952 wrote to memory of 540	952	e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe	28

C:\Users\Admin\AppData\Local\Temp\e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe
"C:\Users\Admin\AppData\Local\Temp\e74de580b480b90f9f59d37e9e2f260d3afabfc8f665e1f58898f34def920662.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:952
- C:\ProgramData\mldefender.exe
  C:\ProgramData\mldefender.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mldefender.exe

Filesize
820KB

MD5
5aeba985247ac15a42f4054230094920

SHA1
b01bfe87d073a393a8a2813d0a4a87355341a0ee

SHA256
63b7c5f80e935521dbd0fd1ab584fc386fefd6a44109b38b0913f2c2c0fd2483

SHA512
2d88add462e21ffec5d68613c2f31230a8373673f8763c511bc0fb301e3181156a07f98821c2fcd8e8bdab99db9ba99e3a8d301c678505b514f5e8b779a2342e

Download Submit
\ProgramData\mldefender.exe

Filesize
820KB

MD5
5aeba985247ac15a42f4054230094920

SHA1
b01bfe87d073a393a8a2813d0a4a87355341a0ee

SHA256
63b7c5f80e935521dbd0fd1ab584fc386fefd6a44109b38b0913f2c2c0fd2483

SHA512
2d88add462e21ffec5d68613c2f31230a8373673f8763c511bc0fb301e3181156a07f98821c2fcd8e8bdab99db9ba99e3a8d301c678505b514f5e8b779a2342e

Download Submit
\ProgramData\mldefender.exe

Filesize
820KB

MD5
5aeba985247ac15a42f4054230094920

SHA1
b01bfe87d073a393a8a2813d0a4a87355341a0ee

SHA256
63b7c5f80e935521dbd0fd1ab584fc386fefd6a44109b38b0913f2c2c0fd2483

SHA512
2d88add462e21ffec5d68613c2f31230a8373673f8763c511bc0fb301e3181156a07f98821c2fcd8e8bdab99db9ba99e3a8d301c678505b514f5e8b779a2342e

Download Submit
memory/540-62-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/540-63-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/540-65-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/540-66-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/540-67-0x0000000000400000-0x0000000000A0A000-memory.dmp

Filesize
6.0MB

Download
memory/952-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/952-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/952-56-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing