a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff

General

Target

a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe
Size

953KB
MD5

c641a1cc9741ad61740d35b535d2c7f9
SHA1

15e7999c2cbd1f6d5f88da532c122c069a9df039
SHA256

a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff
SHA512

ef2948a520033357eed66a776c6ecc19a62dd599a4f11bdb87ed0a7844f9cb13922cf3133a44bcff4485659e00aaa8777ea4fc1627875bbf08959186430ef4da
SSDEEP

24576:hXuj+c3eBzO3DKHGppYBbyjUDUK9wS+gz:h+t3pGQSN+k

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
736	rundll.exe

Loads dropped DLL 3 IoCs

pid	Process
956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe
956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe
736	rundll.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
276	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
736	rundll.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 736	956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe	28
PID 956 wrote to memory of 736	956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe	28
PID 956 wrote to memory of 736	956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe	28
PID 956 wrote to memory of 736	956	a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe	28
PID 736 wrote to memory of 1372	736	rundll.exe	29
PID 736 wrote to memory of 1372	736	rundll.exe	29
PID 736 wrote to memory of 1372	736	rundll.exe	29
PID 736 wrote to memory of 1372	736	rundll.exe	29
PID 1372 wrote to memory of 1488	1372	cmd.exe	31
PID 1372 wrote to memory of 1488	1372	cmd.exe	31
PID 1372 wrote to memory of 1488	1372	cmd.exe	31
PID 1372 wrote to memory of 1488	1372	cmd.exe	31
PID 1488 wrote to memory of 276	1488	cmd.exe	32
PID 1488 wrote to memory of 276	1488	cmd.exe	32
PID 1488 wrote to memory of 276	1488	cmd.exe	32
PID 1488 wrote to memory of 276	1488	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe
"C:\Users\Admin\AppData\Local\Temp\a7f8fb74ab76d110c8ab25aa17650f4447345f25919cc44e5c5b576b98ea8fff.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Roaming\rundll.exe
  "C:\Users\Admin\AppData\Roaming\rundll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
145B

MD5
6b8393408a3f2df19ff1e68a4f720729

SHA1
03cbc980dd47a33bdfa18be80cbd3efdbbaf95c6

SHA256
623fecae412449f60ffd8f38862e73504124afb0754952a45103daff0de5a7c9

SHA512
235e3c1f0074282c8cd8d6d9b6dc0c71ae591f5ca6a2f2248f832359a1a452cfce26b5f80fddc5acd5aae811630441b640212b9b7a885f2d69e67813d8d846ca

Download Submit
C:\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
115KB

MD5
15551ca46d64f12757d29b4fb5090436

SHA1
f23db6e98b0c48c2c7950180705bdd39c6c8af4d

SHA256
d1cc21e0e340b5d5297d817cb81c04c6dee395955ae3ff8152c221603ac87d9b

SHA512
60487610d89431647aa02393c2ea361172fa3aff68dc804dae6f7551d04df9e464dcfb7e8218f526cdff80338c2f1ee7bf81e66ca438c79519aa038eb2529502

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
416KB

MD5
4499c25e7eaaa0624258a53ea2db1107

SHA1
00142bcdebdba7916bf07c19344f6f68eda75044

SHA256
b0786b06f44904da9ea4c71eb7ed20514295f192c75a08500e50901f97eced20

SHA512
912fdb3fe2ad70f6007a62daace0729ecb8f672baff732eef1800b6523bb98caf6fb32b3dbe4014371db68839d68a5581a6dc6bbf7b154eb94340d8992f7b1cd

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
115KB

MD5
15551ca46d64f12757d29b4fb5090436

SHA1
f23db6e98b0c48c2c7950180705bdd39c6c8af4d

SHA256
d1cc21e0e340b5d5297d817cb81c04c6dee395955ae3ff8152c221603ac87d9b

SHA512
60487610d89431647aa02393c2ea361172fa3aff68dc804dae6f7551d04df9e464dcfb7e8218f526cdff80338c2f1ee7bf81e66ca438c79519aa038eb2529502

Download Submit
\Users\Admin\AppData\Roaming\rundll.exe

Filesize
416KB

MD5
4499c25e7eaaa0624258a53ea2db1107

SHA1
00142bcdebdba7916bf07c19344f6f68eda75044

SHA256
b0786b06f44904da9ea4c71eb7ed20514295f192c75a08500e50901f97eced20

SHA512
912fdb3fe2ad70f6007a62daace0729ecb8f672baff732eef1800b6523bb98caf6fb32b3dbe4014371db68839d68a5581a6dc6bbf7b154eb94340d8992f7b1cd

Download Submit
\Users\Admin\AppData\Roaming\rundll.exe

Filesize
416KB

MD5
4499c25e7eaaa0624258a53ea2db1107

SHA1
00142bcdebdba7916bf07c19344f6f68eda75044

SHA256
b0786b06f44904da9ea4c71eb7ed20514295f192c75a08500e50901f97eced20

SHA512
912fdb3fe2ad70f6007a62daace0729ecb8f672baff732eef1800b6523bb98caf6fb32b3dbe4014371db68839d68a5581a6dc6bbf7b154eb94340d8992f7b1cd

Download Submit
memory/736-62-0x00000000002A0000-0x00000000002C1000-memory.dmp

Filesize
132KB

Download
memory/956-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads