dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

General

Target

dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
Size

780KB
MD5

a548a295a9be7a551c68c55d004e7b80
SHA1

5327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256

dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA512

4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
SSDEEP

24576:pcTICFaA6zm9TEuCaelHWmQR54qEc5ysEwkzrYRQ+:paFXdYQ4qXqworYRQ+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1568	usnscv.exe

Loads dropped DLL 2 IoCs

pid	Process
1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	usnscv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background"	usnscv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	DllHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1004 wrote to memory of 1632	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	28
PID 1632 wrote to memory of 1528	1632	cmd.exe	30
PID 1632 wrote to memory of 1528	1632	cmd.exe	30
PID 1632 wrote to memory of 1528	1632	cmd.exe	30
PID 1632 wrote to memory of 1528	1632	cmd.exe	30
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31
PID 1004 wrote to memory of 1568	1004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	31

C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
"C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe" "C:\Users\Admin\AppData\Local\\usnscv.exe"
    3⤵
    PID:1528
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Seda (6).jpg

Filesize
30KB

MD5
706bde189715539261388384ac5d2c84

SHA1
17172d5cb0fca50bd76132158a36656cc7835a03

SHA256
6f280ab6cc663486fd7e97b8d324a9c1ece4c542019f20cabf0aff99bd217749

SHA512
a285b1145a0f1a8afd21d399f6149d885a6b274f806dd544593d2d844cbbd5b0d18576a43b56579736ef2f4e1adf850ab717d472e30c50b3048ce6b8c5df51f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
180B

MD5
3f6e7bb4566261ebcf5006ad2dcd890f

SHA1
2bd4620b3f16a8914a808ce8bbc42dbd3e1808ba

SHA256
09ec06d7b58b8defc991147af5310a643fe7e73d04286c3589611f902ec10eb5

SHA512
8f4ee203a56460206b01fde5be79d42d16bbea4815e37e5b54572afb85d3d996e2b87a082f5a3aab95533bfe367cace0d5a49bfa19526d94509cc20eb548ac7e

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1568-63-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-61-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-68-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1568-70-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing