d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141

Reason

Machine shutdown

General

Target

d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe
Size

50KB
MD5

11e975c230b5ab674c92e16d06ab8a64
SHA1

e09b71ef840741f0f20d13291a33af452468f966
SHA256

d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141
SHA512

95c44db5f514d282f0b0c8601d73954ab847c9aa88f4d30d38f6c415c50c36758b75642a036b04f61590d31753e7ef825bc43c249fbd67fcf268f065f50f5120
SSDEEP

768:d/8m0p5WvBxDJST7jkn1r3hmTvg3ywI/rf/WpnCkC5HVYPCj:dUH5WvfDJSnIn1sruI/rWpEHyP

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\2547822164 = "C:\\Users\\Admin\\2547822164.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe
Token: SeShutdownPrivilege	884	shutdown.exe
Token: SeRemoteShutdownPrivilege	884	shutdown.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 952	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	28
PID 1816 wrote to memory of 952	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	28
PID 1816 wrote to memory of 952	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	28
PID 1816 wrote to memory of 952	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	28
PID 952 wrote to memory of 564	952	cmd.exe	30
PID 952 wrote to memory of 564	952	cmd.exe	30
PID 952 wrote to memory of 564	952	cmd.exe	30
PID 952 wrote to memory of 564	952	cmd.exe	30
PID 1816 wrote to memory of 884	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	31
PID 1816 wrote to memory of 884	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	31
PID 1816 wrote to memory of 884	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	31
PID 1816 wrote to memory of 884	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	31
PID 1816 wrote to memory of 580	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	33
PID 1816 wrote to memory of 580	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	33
PID 1816 wrote to memory of 580	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	33
PID 1816 wrote to memory of 580	1816	d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe	33

C:\Users\Admin\AppData\Local\Temp\d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe
"C:\Users\Admin\AppData\Local\Temp\d9fd70f70057e91987a9b9c3ca820c259f3da5d7a537cb39cce081f61dbdb141.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2547822164 /t REG_SZ /d "%userprofile%\2547822164.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2547822164 /t REG_SZ /d "C:\Users\Admin\2547822164.exe" /f
    3⤵
    - Adds Run key to start application
    PID:564
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /f /t 3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D9FD70~1.EXE > nul
  2⤵
  - Deletes itself
  PID:580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/580-60-0x0000000000000000-mapping.dmp

Download
memory/884-59-0x0000000000000000-mapping.dmp

Download
memory/888-61-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1816-55-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1816-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors