795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe
Size

1.8MB
MD5

5fbf02c74221655c1e378f8cd0cec4ee
SHA1

dd9f5edab6c8c9c0665a2c6e3a4090663a95d0d4
SHA256

795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6
SHA512

93143f1e0459af26e1cbf59e4cef96624a2fac862a0b419a04c0eceafa7515524a95e86baedae58745d46f3bff9d9a7bdbd5a2f9647bd12d440988a7f2652c15
SSDEEP

49152:nymv/A9r6b7Bo6kaepTqvtchcL6yUw4gZ2oe7yUFex:nyiAN6+ZqFHL7X

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\ARManager\\apmanager.exe"	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe

Executes dropped EXE 1 IoCs

pid	Process
4040	apmanager.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apmanager.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ARManager\\apmanager.exe silent"	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4040	apmanager.exe
4040	apmanager.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4040	apmanager.exe
4040	apmanager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4040	apmanager.exe
4040	apmanager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4040	apmanager.exe
4040	apmanager.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4040	2492	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe	79
PID 2492 wrote to memory of 4040	2492	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe	79
PID 2492 wrote to memory of 4040	2492	795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe	79

C:\Users\Admin\AppData\Local\Temp\795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe
"C:\Users\Admin\AppData\Local\Temp\795b1f2d5c247f993cfb86b0c7477c0dcd01ecb86d1f717907217902ae784ec6.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Roaming\ARManager\apmanager.exe
  C:\Users\Admin\AppData\Roaming\ARManager\apmanager.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ARManager\apmanager.exe

Filesize
1.8MB

MD5
5e8144ecb1a375c7c11e3b53abd0a7a6

SHA1
09317fb3608b7dd3023eb631bf2f274c653d8fb6

SHA256
ce73ecc3c8fc4bd97050d30ffa2d6056046b3c738949e84b374db42476f2eb94

SHA512
a2ed6692491efce6efcd34ac8544dca40182ee3f1aeca6a91ef9b612fc4e5e830f3e64a2db24f9b985616ba210acc8a2547f8c1ec12f9132844288c22d182d73

Download Submit
C:\Users\Admin\AppData\Roaming\ARManager\apmanager.exe

Filesize
1.8MB

MD5
5e8144ecb1a375c7c11e3b53abd0a7a6

SHA1
09317fb3608b7dd3023eb631bf2f274c653d8fb6

SHA256
ce73ecc3c8fc4bd97050d30ffa2d6056046b3c738949e84b374db42476f2eb94

SHA512
a2ed6692491efce6efcd34ac8544dca40182ee3f1aeca6a91ef9b612fc4e5e830f3e64a2db24f9b985616ba210acc8a2547f8c1ec12f9132844288c22d182d73

Download Submit
C:\Users\Admin\AppData\Roaming\ARManager\languages\English.lng

Filesize
5KB

MD5
07085de5f288a4af975301d446b5e33b

SHA1
1bab1af24546e953ef72b3f91ce1703aa3053da3

SHA256
5026f9af6ce420f4c30853758d9b5e1b9f0042ded6026a925ee180aea661e872

SHA512
1f8e16f22cd88a8acd47cbfd5cec4e8b496194b350b106b97b4147d42ba959894e920a5535ec022ab57b7977c74b6ec9864e0344bfea5bf2e0df95c60fd29e54

Download Submit
C:\Users\Admin\AppData\Roaming\ARManager\settings.ini

Filesize
56B

MD5
9658115969f8bdd195057ae4ffc3879c

SHA1
0a49b14ba6f3ad44cb4e92d34fc1f7489a080b9b

SHA256
bcb3f04f6ea6e9dd65086af8e1cfd21c7e145e29e9f19d811393dcfc9375c128

SHA512
487118149fc1098a0515150193e082298c9675d294bb8384a0f8f3629691ffcab885cb871eec9b448c0d5efc3454413489652269e6f03ad72b3a110b0a3f900c

Download Submit
memory/4040-132-0x0000000000000000-mapping.dmp

Download