1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f

General

Target

1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe
Size

26.8MB
MD5

f8e40037e70f7e8a07351c2265205026
SHA1

ae75cd9ca01a777eb62368ab4a48e2297e0bd6cf
SHA256

1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f
SHA512

6da1817f46cc7061d1decaf99b698e5ef2f182e31c7c9862a2d3f4ead829017b6cbb828a7ab7adfa62fbe40385ae40c5586d18ec5032ef0693053178ac1480b5
SSDEEP

196608:LicMqh33obKzEfoQIo3vskA/ameVSW43y4RpeswhdgbV:LzMc3uCEAQpvs//hSE3yQXwhdCV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1412	3ddown.com_camfrog_setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe
1412	3ddown.com_camfrog_setup.exe
1412	3ddown.com_camfrog_setup.exe
1412	3ddown.com_camfrog_setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3ddown.com_camfrog = "C:\\Users\\Public\\Epvsa\\Traab.exe /3ddown.com_camfrog /{F745867D-5B50-4F11-8C62-DEA72FB91557}"	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

resource	yara_rule
behavioral1/files/0x000a000000012308-61.dat	nsis_installer_1
behavioral1/files/0x000a000000012308-65.dat	nsis_installer_1
behavioral1/files/0x000a000000012308-64.dat	nsis_installer_1
behavioral1/files/0x000a000000012308-63.dat	nsis_installer_1
behavioral1/files/0x000a000000012308-59.dat	nsis_installer_1

Runs net.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 1776 wrote to memory of 952	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	28
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 952 wrote to memory of 1312	952	Net.exe	30
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31
PID 1776 wrote to memory of 1412	1776	1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe	31

C:\Users\Admin\AppData\Local\Temp\1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe
"C:\Users\Admin\AppData\Local\Temp\1d3173ddc7b18fc6dd7a856437572cfb71e16209a2762e1163466a6284e45e2f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe
  C:\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe

Filesize
4.9MB

MD5
16082d2a6c823c9ecba77b0621402952

SHA1
19609f0f2d6190e041d95dd0da14d45a28f2da21

SHA256
660abd7649d5e92bde215988024324fad75a7c238e1934640f3cfebccd6bb4ff

SHA512
9b7b5db4e69e525debfa276004a24111eb4606ef7205d8b0638a14fe601421ed23863b85d8368044fbe46f8d0f7db3c0d4898d4357087e2e61bba449ebcf2f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe

Filesize
4.9MB

MD5
16082d2a6c823c9ecba77b0621402952

SHA1
19609f0f2d6190e041d95dd0da14d45a28f2da21

SHA256
660abd7649d5e92bde215988024324fad75a7c238e1934640f3cfebccd6bb4ff

SHA512
9b7b5db4e69e525debfa276004a24111eb4606ef7205d8b0638a14fe601421ed23863b85d8368044fbe46f8d0f7db3c0d4898d4357087e2e61bba449ebcf2f95

Download Submit
\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe

Filesize
4.9MB

MD5
16082d2a6c823c9ecba77b0621402952

SHA1
19609f0f2d6190e041d95dd0da14d45a28f2da21

SHA256
660abd7649d5e92bde215988024324fad75a7c238e1934640f3cfebccd6bb4ff

SHA512
9b7b5db4e69e525debfa276004a24111eb4606ef7205d8b0638a14fe601421ed23863b85d8368044fbe46f8d0f7db3c0d4898d4357087e2e61bba449ebcf2f95

Download Submit
\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe

Filesize
4.9MB

MD5
16082d2a6c823c9ecba77b0621402952

SHA1
19609f0f2d6190e041d95dd0da14d45a28f2da21

SHA256
660abd7649d5e92bde215988024324fad75a7c238e1934640f3cfebccd6bb4ff

SHA512
9b7b5db4e69e525debfa276004a24111eb4606ef7205d8b0638a14fe601421ed23863b85d8368044fbe46f8d0f7db3c0d4898d4357087e2e61bba449ebcf2f95

Download Submit
\Users\Admin\AppData\Local\Temp\g8B146\3ddown.com_camfrog_setup.exe

Filesize
4.9MB

MD5
16082d2a6c823c9ecba77b0621402952

SHA1
19609f0f2d6190e041d95dd0da14d45a28f2da21

SHA256
660abd7649d5e92bde215988024324fad75a7c238e1934640f3cfebccd6bb4ff

SHA512
9b7b5db4e69e525debfa276004a24111eb4606ef7205d8b0638a14fe601421ed23863b85d8368044fbe46f8d0f7db3c0d4898d4357087e2e61bba449ebcf2f95

Download Submit
\Users\Admin\AppData\Local\Temp\nseD2EB.tmp\InstallOptions.dll

Filesize
14KB

MD5
265aa21c1e266da48375da24735edac5

SHA1
fd1a1ad8eb4d2ec164709bea1bc6d49a8a6b9e58

SHA256
d6a1542f6e05f73828e0d4e97235665ec706025d39de321dcb85ab78ad838536

SHA512
a2b4c66639504be4bad19346b5ac75eb992346e583c82071c9b7f23beb7252c61c553d71d3289a4d9735964a5e5907fa12e2d382352d7b5974959a78aaf969b1

Download Submit
memory/1776-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing