0a0debbbfe0c321661a6f911fc895997b512405cb9ba90c41f547dc410733b6b

General

Target

80394175.exe
Size

442KB
MD5

a7032e32c6233da0d2c01dcd041a8b6d
SHA1

3263b8e9740d646b7366095a8554471a603c29c3
SHA256

0a0debbbfe0c321661a6f911fc895997b512405cb9ba90c41f547dc410733b6b
SHA512

d28bec50a5f1c9e4622a3d294767c1f86e5ad9261159e08c929beabeef30fe0c43e71c84841c2121d1570cf21d6cf54888586b0834ea570ed690074c727adccb
SSDEEP

12288:6n/QDrYeyaeh/7l9vWaRZiuv5GI4SESH3yA/:6kYeyaeh/XRZiuv94SliA/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1796	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	80394175.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1508	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
560	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1928	80394175.exe
1928	80394175.exe
1796	svchost.exe
1796	svchost.exe
1796	svchost.exe
1796	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	80394175.exe
Token: SeDebugPrivilege	1796	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1904	1928	80394175.exe	29
PID 1928 wrote to memory of 1904	1928	80394175.exe	29
PID 1928 wrote to memory of 1904	1928	80394175.exe	29
PID 1928 wrote to memory of 1504	1928	80394175.exe	31
PID 1928 wrote to memory of 1504	1928	80394175.exe	31
PID 1928 wrote to memory of 1504	1928	80394175.exe	31
PID 1904 wrote to memory of 1508	1904	cmd.exe	33
PID 1904 wrote to memory of 1508	1904	cmd.exe	33
PID 1904 wrote to memory of 1508	1904	cmd.exe	33
PID 1504 wrote to memory of 560	1504	cmd.exe	34
PID 1504 wrote to memory of 560	1504	cmd.exe	34
PID 1504 wrote to memory of 560	1504	cmd.exe	34
PID 1504 wrote to memory of 1796	1504	cmd.exe	35
PID 1504 wrote to memory of 1796	1504	cmd.exe	35
PID 1504 wrote to memory of 1796	1504	cmd.exe	35
PID 1796 wrote to memory of 1444	1796	svchost.exe	37
PID 1796 wrote to memory of 1444	1796	svchost.exe	37
PID 1796 wrote to memory of 1444	1796	svchost.exe	37
PID 1796 wrote to memory of 988	1796	svchost.exe	38
PID 1796 wrote to memory of 988	1796	svchost.exe	38
PID 1796 wrote to memory of 988	1796	svchost.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80394175.exe
"C:\Users\Admin\AppData\Local\Temp\80394175.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1056.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1444
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1056.tmp.bat

Filesize
151B

MD5
beb55bd64a67f58d41b9445ae9e79390

SHA1
8d0254d5c1e2e6829c859521d4bda313c25f909a

SHA256
dc07be3283c29f0de6a17949fee5b5c8c846b06eb2c27ab8906a064a7d163c57

SHA512
a1b64b63fdfecd0692e8a5a9f267fd7d7b69f3358caee38190a4cbbdd486e182a0cb39bc33bb0fc071b36e41f593f5385b55a3d72b6163cc22b02cabd3bff076

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1056.tmp.bat

Filesize
151B

MD5
beb55bd64a67f58d41b9445ae9e79390

SHA1
8d0254d5c1e2e6829c859521d4bda313c25f909a

SHA256
dc07be3283c29f0de6a17949fee5b5c8c846b06eb2c27ab8906a064a7d163c57

SHA512
a1b64b63fdfecd0692e8a5a9f267fd7d7b69f3358caee38190a4cbbdd486e182a0cb39bc33bb0fc071b36e41f593f5385b55a3d72b6163cc22b02cabd3bff076

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
442KB

MD5
a7032e32c6233da0d2c01dcd041a8b6d

SHA1
3263b8e9740d646b7366095a8554471a603c29c3

SHA256
0a0debbbfe0c321661a6f911fc895997b512405cb9ba90c41f547dc410733b6b

SHA512
d28bec50a5f1c9e4622a3d294767c1f86e5ad9261159e08c929beabeef30fe0c43e71c84841c2121d1570cf21d6cf54888586b0834ea570ed690074c727adccb

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
442KB

MD5
a7032e32c6233da0d2c01dcd041a8b6d

SHA1
3263b8e9740d646b7366095a8554471a603c29c3

SHA256
0a0debbbfe0c321661a6f911fc895997b512405cb9ba90c41f547dc410733b6b

SHA512
d28bec50a5f1c9e4622a3d294767c1f86e5ad9261159e08c929beabeef30fe0c43e71c84841c2121d1570cf21d6cf54888586b0834ea570ed690074c727adccb

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
442KB

MD5
a7032e32c6233da0d2c01dcd041a8b6d

SHA1
3263b8e9740d646b7366095a8554471a603c29c3

SHA256
0a0debbbfe0c321661a6f911fc895997b512405cb9ba90c41f547dc410733b6b

SHA512
d28bec50a5f1c9e4622a3d294767c1f86e5ad9261159e08c929beabeef30fe0c43e71c84841c2121d1570cf21d6cf54888586b0834ea570ed690074c727adccb

Download Submit
memory/1796-70-0x0000000000EE0000-0x0000000000F52000-memory.dmp

Filesize
456KB

Download
memory/1796-71-0x0000000000A10000-0x0000000000A90000-memory.dmp

Filesize
512KB

Download
memory/1928-54-0x0000000000D20000-0x0000000000D92000-memory.dmp

Filesize
456KB

Download
memory/1928-55-0x0000000000BC0000-0x0000000000C26000-memory.dmp

Filesize
408KB

Download
memory/1928-56-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads