90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70

General

Target

90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe
Size

657KB
MD5

24d69a57fc6936a88cad6106398b8e37
SHA1

85e614665a806e795937629b67e7e98d234268aa
SHA256

90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70
SHA512

4c9f507e3391d54cd35d5ab9933401f18916decbb7fcf61950e28f9a93713ba34922286f63e074e30c536acb196b0c8271036d90c31bbad4c114fa5155050c17
SSDEEP

12288:tre4zLzM7RGvHHRrZyHQxDzCmAWdPOkQXgxWKQQWO6PfTP6rSiyoS3:tre4zLzM9Gf9EwxfCmldmkQXgxWLh9Tz

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
460	svcgjfl.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-70-0x0000000000400000-0x0000000001955000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
968	cmd.exe
552	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe
File created	C:\Windows\ime\svcgjfl.exe	cmd.exe
File created	C:\Windows\Debug\error.gg	cmd.exe
File opened for modification	C:\Windows\Debug\win.dat	cmd.exe
File opened for modification	C:\Windows\Debug\tb.dat	cmd.exe
File created	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\svcgjfl.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
552	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 968	1064	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	27
PID 1064 wrote to memory of 968	1064	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	27
PID 1064 wrote to memory of 968	1064	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	27
PID 1064 wrote to memory of 968	1064	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	27
PID 968 wrote to memory of 564	968	cmd.exe	29
PID 968 wrote to memory of 564	968	cmd.exe	29
PID 968 wrote to memory of 564	968	cmd.exe	29
PID 968 wrote to memory of 564	968	cmd.exe	29
PID 968 wrote to memory of 1636	968	cmd.exe	30
PID 968 wrote to memory of 1636	968	cmd.exe	30
PID 968 wrote to memory of 1636	968	cmd.exe	30
PID 968 wrote to memory of 1636	968	cmd.exe	30
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 552	968	cmd.exe	31
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32
PID 968 wrote to memory of 460	968	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe
"C:\Users\Admin\AppData\Local\Temp\90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\272.tmp\sso.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:552
- - C:\Windows\ime\svcgjfl.exe
    C:\Windows\ime\svcgjfl.exe
    3⤵
    - Executes dropped EXE
    PID:460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\272.tmp\sso.bat

Filesize
2KB

MD5
324ad9a625d434e09152589fb88e73b5

SHA1
9fb1a51f9271818647d8dd869f1f0dc92c776843

SHA256
df2b9a6dabfef8b4c35218a402ec5dead538e8c7ba67ac1047c20a0e9ab9768d

SHA512
762fc29ee4cf1e09874d81dabaa5e60b2277d55ec8c55ca637be20d84a4ef21fb6fdf049bad4d2fab8b8d07b6e264d41733de07966e3c9da4cf451135d31a174

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.tmp\tb.dat

Filesize
11.1MB

MD5
c700215421d031ff8431eb78f8f88862

SHA1
c31b4627407250f9961479b6716345b192fc5113

SHA256
b3203960248f5f8a2b8be7bb31de700d670ea952450b1b8ea1f4803e2b55f26f

SHA512
a2e4bb68b3f4a9a105e04693473ad60afb9f082607ae5ddfdb8eb00df425ee419082ea7d0367a86f1ca2127e29e3d590b5a638d1abfafdfe59788adccb950c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.tmp\win.bat

Filesize
1KB

MD5
0c5774a46b89a9ac3258cf3924b7c94a

SHA1
6bd7f1de8a61ba65a81eb2d79eb7b2e59fa93846

SHA256
33f49f5e9835948701a8e093ea3a9792f4e5bd7ed4a1a55282c5e2bf06d37028

SHA512
00cfbcba2f6786b4b6f907ece399e56de84d30ece7e2f43f4a2fa961d79e5826c05b5233c1e8986da88e37bafd2b77e93c88c157f695e4ffca28af483cd1d00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.tmp\woti.dat

Filesize
10.2MB

MD5
c05c54ed8e88a94bb1acc8e2971554a1

SHA1
20b26501f67ab603972845834074738d41e29eeb

SHA256
9a07d30fac34af636b39ba5433525ba0cff86c7b46209efd64f19e8fe30e610a

SHA512
90d996427b886f33a59889a31c17d51d603a76e3b9f443b3bb81defeafec8e7edfe04585f6fcaaf2ec6c60b2d17e7272a44bc65e84407c4b5f24abeaed588d8d

Download Submit
C:\Windows\IME\svcgjfl.exe

Filesize
11.1MB

MD5
c700215421d031ff8431eb78f8f88862

SHA1
c31b4627407250f9961479b6716345b192fc5113

SHA256
b3203960248f5f8a2b8be7bb31de700d670ea952450b1b8ea1f4803e2b55f26f

SHA512
a2e4bb68b3f4a9a105e04693473ad60afb9f082607ae5ddfdb8eb00df425ee419082ea7d0367a86f1ca2127e29e3d590b5a638d1abfafdfe59788adccb950c1b

Download Submit
C:\Windows\ime\winxp.dat

Filesize
10.2MB

MD5
c05c54ed8e88a94bb1acc8e2971554a1

SHA1
20b26501f67ab603972845834074738d41e29eeb

SHA256
9a07d30fac34af636b39ba5433525ba0cff86c7b46209efd64f19e8fe30e610a

SHA512
90d996427b886f33a59889a31c17d51d603a76e3b9f443b3bb81defeafec8e7edfe04585f6fcaaf2ec6c60b2d17e7272a44bc65e84407c4b5f24abeaed588d8d

Download Submit
\Windows\IME\svcgjfl.exe

Filesize
11.1MB

MD5
c700215421d031ff8431eb78f8f88862

SHA1
c31b4627407250f9961479b6716345b192fc5113

SHA256
b3203960248f5f8a2b8be7bb31de700d670ea952450b1b8ea1f4803e2b55f26f

SHA512
a2e4bb68b3f4a9a105e04693473ad60afb9f082607ae5ddfdb8eb00df425ee419082ea7d0367a86f1ca2127e29e3d590b5a638d1abfafdfe59788adccb950c1b

Download Submit
\Windows\IME\winxp.dat

Filesize
10.2MB

MD5
c05c54ed8e88a94bb1acc8e2971554a1

SHA1
20b26501f67ab603972845834074738d41e29eeb

SHA256
9a07d30fac34af636b39ba5433525ba0cff86c7b46209efd64f19e8fe30e610a

SHA512
90d996427b886f33a59889a31c17d51d603a76e3b9f443b3bb81defeafec8e7edfe04585f6fcaaf2ec6c60b2d17e7272a44bc65e84407c4b5f24abeaed588d8d

Download Submit
memory/552-71-0x0000000074870000-0x0000000074989000-memory.dmp

Filesize
1.1MB

Download
memory/552-72-0x0000000074870000-0x0000000074989000-memory.dmp

Filesize
1.1MB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1064-70-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads