aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc

General

Target

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
Size

6.9MB
MD5

fc3fdd248bbcbe7b8a8729ae95817e13
SHA1

ce9bb8d76b572c7d782735027177ed608ce3be76
SHA256

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc
SHA512

c639d19327b2bc11d16c8b57b4eb3a9b47d6fd5e99d36aad2b5feb5080fe76abcbae064a9150024ff19dfb1169f59be6b650524cec8219759a3cf6aa74f19dff
SSDEEP

49152:bxJhuIXD4WLRib3WznrOqlcqrOb2TbZi3Z1XoBxsIkIT6geaxQKKgrH5pPV80X0e:wg48cb3WzrOqGqrOSg3r8VOVY

Score

7^/10

bootkit persistence ransomware upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ExtraDll.dll	acprotect

Executes dropped EXE 1 IoCs

Processes:

tis.exe

pid process

3044 tis.exe

pid	process
3044	tis.exe

Loads dropped DLL 2 IoCs

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

pid	process
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ExtraDll.dll	upx
behavioral1/memory/2880-4-0x0000000074950000-0x000000007498C000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

description ioc process

File opened for modification \??\physicaldrive0 aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1.bmp"	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2872 taskkill.exe

pid	process
2872	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "2"	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\TileWallpaper = "2"	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

pid	process
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2872 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2872	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exetis.exe

pid	process
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
3044	tis.exe
3044	tis.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe

description	pid	process	target process
PID 2880 wrote to memory of 3044	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	tis.exe
PID 2880 wrote to memory of 3044	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	tis.exe
PID 2880 wrote to memory of 3044	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	tis.exe
PID 2880 wrote to memory of 3044	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	tis.exe
PID 2880 wrote to memory of 2872	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	taskkill.exe
PID 2880 wrote to memory of 2872	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	taskkill.exe
PID 2880 wrote to memory of 2872	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	taskkill.exe
PID 2880 wrote to memory of 2872	2880	aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe
"C:\Users\Admin\AppData\Local\Temp\aaa2c54f8119f9a24706ebacf1e95fa4d9c9aa969b88235415bba1ff16bc15cc.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\ProgramData\tis.exe
C:\ProgramData\tis.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2872

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tis.exe
Filesize
740KB

MD5
51328aefed339a48f9a558c768143ae1

SHA1
55efd99cfec7185f1edd782924bbfd4cae6af66d

SHA256
d70504d82dc0576174ff55b9c29f313409e2e6b208453eb38e83fc2b0ede9d70

SHA512
386f88eeb0c5dbd0df19b0d46d14d56b7e38523388eaee9a3509b7d735cb9e17f5202c1b47c272fa2644ea03d14d88d3319d42151b475c8de3d3d199acb0c349

Download Submit
\Users\Admin\AppData\Local\Temp\ExtraDll.dll
Filesize
97KB

MD5
c35425ad1f0c32225d307310deccc335

SHA1
b2e347b244e40ffa113dffaffd1895777e3ac30a

SHA256
48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

SHA512
47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

Download Submit
memory/2880-4-0x0000000074950000-0x000000007498C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads