deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600

General

Target

deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
Size

11KB
MD5

e2c457eedc61e399d4ed5ca9f87b21b3
SHA1

d4142674a73809cf133ac94a03302a47a98e8ea2
SHA256

deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600
SHA512

a8683123aa5c89092cecd74ea0353849eb587164152982804903d819c34aa42ebcc1698ee818ed60337a837d0578de4a19e4545ef1c6c1a4c8c6aa13b926c5a3
SSDEEP

192:BrMK4TA90YN2aqXzQ1bC9WP5BIRJMVxKW6CCE0jumCap:BrXyYN6XzQ5jBHKyKCY

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\chike.dll"	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe

Deletes itself 1 IoCs

pid	Process
1312	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
888	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chike.dll	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
File opened for modification	C:\Windows\SysWOW64\chike.dll	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
888	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1312	1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe	29
PID 1964 wrote to memory of 1312	1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe	29
PID 1964 wrote to memory of 1312	1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe	29
PID 1964 wrote to memory of 1312	1964	deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe	29

C:\Users\Admin\AppData\Local\Temp\deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe
"C:\Users\Admin\AppData\Local\Temp\deee416836a91db411eea1efc255c49021f7744f26ef58b68bf4238369ad7600.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7164985.bat" "
  2⤵
  - Deletes itself
  PID:1312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7164985.bat

Filesize
293B

MD5
9bd4f7e420c9fa50bdfa0d1313d9d093

SHA1
ef9d8ae3d64846c860402da70eea9dac42b3e9c2

SHA256
3a7aa799cdb1289b1ec34d8e4c17447d927b4a293fb11168726a817788356229

SHA512
c6c05d5efc807207a9c517ca38ad96842e101698cdf1696c2ba417f98d59e36fdc3edf8a2eceff4cae3232df37c8786e73b398a574e86fcb113191c7c5d07d19

Download Submit
C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\chike.dll

Filesize
19KB

MD5
bb866e9e6295c2c2a181f8fd629dde7c

SHA1
6d960ba839b99c7132f813d5356d38cdb38c330f

SHA256
bca5fe11f0e3fc5a4a0ac514bccea527c0868731d2b9eddfd85d3c6312e75e90

SHA512
177ce743e03639eac9c26d37ead0dc7b41f5335c4d1c0a852cd489a2e1d61d98a594f78a28d9796c129327e8283ffdb3511da5282a3521712b1a7e19a2f7fbe0

Download Submit
\Users\Admin\AppData\Local\Temp\dll846.dll

Filesize
19KB

MD5
bb866e9e6295c2c2a181f8fd629dde7c

SHA1
6d960ba839b99c7132f813d5356d38cdb38c330f

SHA256
bca5fe11f0e3fc5a4a0ac514bccea527c0868731d2b9eddfd85d3c6312e75e90

SHA512
177ce743e03639eac9c26d37ead0dc7b41f5335c4d1c0a852cd489a2e1d61d98a594f78a28d9796c129327e8283ffdb3511da5282a3521712b1a7e19a2f7fbe0

Download Submit
\Windows\SysWOW64\chike.dll

Filesize
19KB

MD5
bb866e9e6295c2c2a181f8fd629dde7c

SHA1
6d960ba839b99c7132f813d5356d38cdb38c330f

SHA256
bca5fe11f0e3fc5a4a0ac514bccea527c0868731d2b9eddfd85d3c6312e75e90

SHA512
177ce743e03639eac9c26d37ead0dc7b41f5335c4d1c0a852cd489a2e1d61d98a594f78a28d9796c129327e8283ffdb3511da5282a3521712b1a7e19a2f7fbe0

Download Submit
memory/1964-58-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing