ca5c6e61ca4cbc89d631b7458004c13214b4f65638265448bc7742cc1681e77a

General

Target

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
Size

11.8MB
MD5

f5710bcdcf51bf465e39c7cae9de6cb5
SHA1

e0facbe97030a8d9492a5c6250f6b6c7e876fe75
SHA256

ca5c6e61ca4cbc89d631b7458004c13214b4f65638265448bc7742cc1681e77a
SHA512

f63abcf8d6ccd9f7c23e92d088fd11bbf55e3a3e1c57d1bf5b8db39b7f00000809ad5c3c33b17bb1688b4bf870979af05865e0a4e86eb08aefd6d6cb946a3a0a
SSDEEP

98304:x1J/vWGql+sY74O06XIxz5jDV82YGkqB9b41FZWO6Yltm8zQHW:x1J/Nc3wIxz53V82YGkW9cZWnYltpzp

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\setwall.jpg"	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

Drops file in Windows directory 10 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

pid process

1900 2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description pid process

Token: SeDebugPrivilege 1900 2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

pid	process
1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description	pid	process
Token: SeDebugPrivilege	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
2592	mspaint.exe
2560	mspaint.exe
2972	mspaint.exe
2144	mspaint.exe
2744	mspaint.exe
2312	mspaint.exe
2708	mspaint.exe
2288	mspaint.exe
3036	mspaint.exe
2580	mspaint.exe
2288	mspaint.exe
2744	mspaint.exe
2312	mspaint.exe
3036	mspaint.exe
2580	mspaint.exe
2592	mspaint.exe
2560	mspaint.exe
2144	mspaint.exe
2708	mspaint.exe
2972	mspaint.exe
2288	mspaint.exe
2744	mspaint.exe
2580	mspaint.exe
3036	mspaint.exe
2312	mspaint.exe
2288	mspaint.exe
2744	mspaint.exe
2580	mspaint.exe
3036	mspaint.exe
2312	mspaint.exe
2592	mspaint.exe
2560	mspaint.exe
2592	mspaint.exe
2560	mspaint.exe
2144	mspaint.exe
2708	mspaint.exe
2144	mspaint.exe
2708	mspaint.exe
2972	mspaint.exe
2972	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe

description	pid	process	target process
PID 1900 wrote to memory of 2744	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2744	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2744	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2144	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2144	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2144	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2312	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2312	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2312	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2972	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2972	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2972	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 3036	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 3036	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 3036	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2560	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2560	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2560	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2288	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2288	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2288	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2592	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2592	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2592	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2580	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2580	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2580	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2708	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2708	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2708	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	mspaint.exe
PID 1900 wrote to memory of 2712	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2712	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2712	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2724	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2724	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2724	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2736	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2736	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2736	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2852	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2852	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2852	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2604	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2604	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2604	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2600	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2600	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2600	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2696	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2696	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2696	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2460	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2460	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2460	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2660	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2660	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2660	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2648	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2648	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2648	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	explorer.exe
PID 1900 wrote to memory of 2836	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 1900 wrote to memory of 2836	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 1900 wrote to memory of 2836	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe
PID 1900 wrote to memory of 2684	1900	2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe	control.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f5710bcdcf51bf465e39c7cae9de6cb5_megazord.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\system32\mspaint.exe
"mspaint.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2712

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2724

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2736

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2852

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2604

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2600

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2696

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2460

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2660

C:\Windows\explorer.exe
"explorer.exe"
2⤵
PID:2648

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2836

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2684

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2612

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2488

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2652

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2640

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2680

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2932

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2588

C:\Windows\system32\control.exe
"control.exe"
2⤵
PID:2616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1900 -s 708
2⤵
PID:2496

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:768

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-0-0x0000000140247000-0x0000000140249000-memory.dmp

Filesize
8KB

Download
memory/1900-11-0x0000000140247000-0x0000000140249000-memory.dmp

Filesize
8KB

Download
memory/2144-10-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2288-2-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2312-3-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2560-8-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2580-9-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2592-7-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2708-6-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2744-1-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/2972-5-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download
memory/3036-4-0x000007FEF65C0000-0x000007FEF660C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads