877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca

General

Target

877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe
Size

380KB
MD5

34aa081a0ff6070ede2fedf8c88ba427
SHA1

6fbf8d88607400c122efa1ff26e54f8b77a89693
SHA256

877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca
SHA512

3b96a127ce06cc1727bec9e94b15a14f8208da4423c97fd93a1246f6e93b79321e9a9c7f9e1dad34cc599a8861c09b24828c9e8ade3bff000ac9fa9aaa20557b
SSDEEP

6144:z110FhzzzzU21uu0ZBdPb79e94ofZtY4U0pcof6J9MUsd:R10PzzzzUe4D

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
524	Analyse.exe
636	Analyse.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
596	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Analyze.exe	Analyse.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Analyze.exe	Analyse.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Analyze = "\"C:\\Users\\Admin\\AppData\\Roaming\\Analyse.exe\" .."	Analyse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Analyze = "\"C:\\Users\\Admin\\AppData\\Roaming\\Analyse.exe\" .."	Analyse.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 524 set thread context of 636	524	Analyse.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe
524	Analyse.exe
636	Analyse.exe
636	Analyse.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe
Token: SeDebugPrivilege	524	Analyse.exe
Token: SeDebugPrivilege	636	Analyse.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1228 wrote to memory of 1756	1228	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	27
PID 1756 wrote to memory of 524	1756	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	28
PID 1756 wrote to memory of 524	1756	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	28
PID 1756 wrote to memory of 524	1756	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	28
PID 1756 wrote to memory of 524	1756	877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe	28
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 524 wrote to memory of 636	524	Analyse.exe	29
PID 636 wrote to memory of 596	636	Analyse.exe	30
PID 636 wrote to memory of 596	636	Analyse.exe	30
PID 636 wrote to memory of 596	636	Analyse.exe	30
PID 636 wrote to memory of 596	636	Analyse.exe	30

C:\Users\Admin\AppData\Local\Temp\877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe
"C:\Users\Admin\AppData\Local\Temp\877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca.exe
  877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\Analyse.exe
    "C:\Users\Admin\AppData\Roaming\Analyse.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Roaming\Analyse.exe
      Analyse
      4⤵
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Analyse.exe" "Analyse.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Analyse.exe

Filesize
380KB

MD5
34aa081a0ff6070ede2fedf8c88ba427

SHA1
6fbf8d88607400c122efa1ff26e54f8b77a89693

SHA256
877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca

SHA512
3b96a127ce06cc1727bec9e94b15a14f8208da4423c97fd93a1246f6e93b79321e9a9c7f9e1dad34cc599a8861c09b24828c9e8ade3bff000ac9fa9aaa20557b

Download Submit
C:\Users\Admin\AppData\Roaming\Analyse.exe

Filesize
380KB

MD5
34aa081a0ff6070ede2fedf8c88ba427

SHA1
6fbf8d88607400c122efa1ff26e54f8b77a89693

SHA256
877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca

SHA512
3b96a127ce06cc1727bec9e94b15a14f8208da4423c97fd93a1246f6e93b79321e9a9c7f9e1dad34cc599a8861c09b24828c9e8ade3bff000ac9fa9aaa20557b

Download Submit
C:\Users\Admin\AppData\Roaming\Analyse.exe

Filesize
380KB

MD5
34aa081a0ff6070ede2fedf8c88ba427

SHA1
6fbf8d88607400c122efa1ff26e54f8b77a89693

SHA256
877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca

SHA512
3b96a127ce06cc1727bec9e94b15a14f8208da4423c97fd93a1246f6e93b79321e9a9c7f9e1dad34cc599a8861c09b24828c9e8ade3bff000ac9fa9aaa20557b

Download Submit
\Users\Admin\AppData\Roaming\Analyse.exe

Filesize
380KB

MD5
34aa081a0ff6070ede2fedf8c88ba427

SHA1
6fbf8d88607400c122efa1ff26e54f8b77a89693

SHA256
877e770f8ee1c2282325458614775a82499d9ed001c68de3e3d30afac09547ca

SHA512
3b96a127ce06cc1727bec9e94b15a14f8208da4423c97fd93a1246f6e93b79321e9a9c7f9e1dad34cc599a8861c09b24828c9e8ade3bff000ac9fa9aaa20557b

Download Submit
memory/524-73-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/524-82-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/524-72-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/636-86-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/636-85-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-64-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-56-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-55-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1756-71-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1756-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1756-65-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing