d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b

General

Target

d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe
Size

1.2MB
MD5

166fdd9bc2bd4ee95950c1fc6ce73b8b
SHA1

afce906f1e0d09d53f6c0f0f1748367dafb27b6b
SHA256

d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b
SHA512

ea6f2452a725c8ebb171b27cd6488dfa34ade364f0b7a594160dd751325be068fd03ad50f2f07c7fb1922e225f2a47a1bf5ae4f09bf7059018263d23b2c51de4
SSDEEP

12288:1d4XajaY+8GXgJzcXwXMpBq3JPD0YslFtLjJvS9WspRSGIJKQXaomNgHsjqrqJHO:13R5IJKQXaomNgH2qrqJHyLz2OQ2ABP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	zzbrenkzz.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	zzbrenkzz.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	zzbrenkzz.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe:*:Enabled:qewrghhjptughirghr"	zzbrenkzz.exe

Executes dropped EXE 2 IoCs

pid	Process
1512	zzbrenkzz.exe
3996	zzbrenkzz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdaterzz = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe"	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Users\\Admin\\AppData\\Roaming\\zzbrenkzz.exe"	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 1512 set thread context of 3996	1512	zzbrenkzz.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe
1512	zzbrenkzz.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2808 wrote to memory of 2160	2808	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	82
PID 2160 wrote to memory of 1512	2160	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	83
PID 2160 wrote to memory of 1512	2160	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	83
PID 2160 wrote to memory of 1512	2160	d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe	83
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84
PID 1512 wrote to memory of 3996	1512	zzbrenkzz.exe	84

C:\Users\Admin\AppData\Local\Temp\d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe
"C:\Users\Admin\AppData\Local\Temp\d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe
  "C:\Users\Admin\AppData\Local\Temp\d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies WinLogon
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
    "C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe
      "C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

Filesize
1.2MB

MD5
166fdd9bc2bd4ee95950c1fc6ce73b8b

SHA1
afce906f1e0d09d53f6c0f0f1748367dafb27b6b

SHA256
d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b

SHA512
ea6f2452a725c8ebb171b27cd6488dfa34ade364f0b7a594160dd751325be068fd03ad50f2f07c7fb1922e225f2a47a1bf5ae4f09bf7059018263d23b2c51de4

Download Submit
C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

Filesize
1.2MB

MD5
166fdd9bc2bd4ee95950c1fc6ce73b8b

SHA1
afce906f1e0d09d53f6c0f0f1748367dafb27b6b

SHA256
d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b

SHA512
ea6f2452a725c8ebb171b27cd6488dfa34ade364f0b7a594160dd751325be068fd03ad50f2f07c7fb1922e225f2a47a1bf5ae4f09bf7059018263d23b2c51de4

Download Submit
C:\Users\Admin\AppData\Roaming\zzbrenkzz.exe

Filesize
1.2MB

MD5
166fdd9bc2bd4ee95950c1fc6ce73b8b

SHA1
afce906f1e0d09d53f6c0f0f1748367dafb27b6b

SHA256
d75cc8cb4943332395c7655494f99309422d2851d9280eed58e372470d32590b

SHA512
ea6f2452a725c8ebb171b27cd6488dfa34ade364f0b7a594160dd751325be068fd03ad50f2f07c7fb1922e225f2a47a1bf5ae4f09bf7059018263d23b2c51de4

Download Submit
memory/1512-146-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1512-152-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2160-138-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-140-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-136-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2808-139-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2808-134-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/3996-151-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3996-153-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads