174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976

General

Target

174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
Size

23.6MB
MD5

8ef3137b93b585ebad52aa6419525ea1
SHA1

cf3e51fedf3f52df479275d676d636c240405719
SHA256

174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976
SHA512

6f2c75668ed612beaff05183ded5d04b5d1adbf02b6154c4b71f7d4182e49d1ae5a73674e734e6a506f00e7db2fc78fdd5b5ff9245f9f3d7994c1639cdd18f68
SSDEEP

98304:fziCp0pd6DvfGAJxd//cfLJhCAIO341gpjKzZS484:LiBbYPV/OCADI1gxKzF84

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5040	apconf_setup.exe
3540	is-J6P1C.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apconf = "C:\\Program Files\\Ayxc\\Lksiq.exe /apconf /{BC3001D1-0387-4A00-99C6-CC8CD4B5AD03}"	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Ayxc\fezose\pat.xml	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File created	C:\Program Files\Ayxc\fezose\vohese.dll	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File opened for modification	C:\Program Files\Ayxc\fezose\vohese.dll	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File opened for modification	C:\Program Files\Ayxc\mazos.exe	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File created	C:\Program Files\Ayxc\bugocs.exe	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File opened for modification	C:\Program Files\Ayxc\bugocs.exe	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File created	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\MSPat.xml	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File created	C:\Program Files\Ayxc\fezose\pat.xml	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
File created	C:\Program Files\Ayxc\mazos.exe	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 5040	4180	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe	81
PID 4180 wrote to memory of 5040	4180	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe	81
PID 4180 wrote to memory of 5040	4180	174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe	81
PID 5040 wrote to memory of 3540	5040	apconf_setup.exe	82
PID 5040 wrote to memory of 3540	5040	apconf_setup.exe	82
PID 5040 wrote to memory of 3540	5040	apconf_setup.exe	82

C:\Users\Admin\AppData\Local\Temp\174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe
"C:\Users\Admin\AppData\Local\Temp\174f03cbe46080f49e738fa808851d20ee40a522574dd9e942eb34110975f976.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\g863CB\apconf_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g863CB\apconf_setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\is-BF8HC.tmp\is-J6P1C.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BF8HC.tmp\is-J6P1C.tmp" /SL4 $A003E "C:\Users\Admin\AppData\Local\Temp\g863CB\apconf_setup.exe" 1670487 52736
    3⤵
    - Executes dropped EXE
    PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g863CB\apconf_setup.exe

Filesize
1.8MB

MD5
e3ac3c5b88b2a531b901b7d05acfe8c0

SHA1
464cfc1b95923e98b77169e0c175472174b5e9f3

SHA256
7a7b0720f1218feeffa3ff06fb1bafcc628326b4dd41efcb07194e9016d35d30

SHA512
38984ca436a5784810be40a01c67afd00853b8b158f3779a3947dc094bfc9c87fb831f2bb48b46fd5430017bdf35f6c4a77e9757b529b0e2c1bfb1c6ad4f152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\g863CB\apconf_setup.exe

Filesize
1.8MB

MD5
e3ac3c5b88b2a531b901b7d05acfe8c0

SHA1
464cfc1b95923e98b77169e0c175472174b5e9f3

SHA256
7a7b0720f1218feeffa3ff06fb1bafcc628326b4dd41efcb07194e9016d35d30

SHA512
38984ca436a5784810be40a01c67afd00853b8b158f3779a3947dc094bfc9c87fb831f2bb48b46fd5430017bdf35f6c4a77e9757b529b0e2c1bfb1c6ad4f152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BF8HC.tmp\is-J6P1C.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BF8HC.tmp\is-J6P1C.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
memory/5040-135-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5040-137-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5040-141-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing