7zS850A099E.zip

General
Target

7zS850A099E/61e7502f007f3_Tue23d6fecf8c.exe

Filesize

116KB

Completed

19-01-2022 08:14

Score
10/10
MD5

b8ecec542a07067a193637269973c2e8

SHA1

97178479fd0fc608d6c0fbf243a0bb136d7b0ecb

SHA256

fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e

Malware Config
Signatures 7

Filter: none

Defense Evasion
Discovery
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Downloads MZ/PE file
  • Executes dropped EXE
    1630.tmp.exe2871.tmp.exe

    Reported IOCs

    pidprocess
    27961630.tmp.exe
    36002871.tmp.exe
  • Checks computer location settings
    61e7502f007f3_Tue23d6fecf8c.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation61e7502f007f3_Tue23d6fecf8c.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of WriteProcessMemory
    61e7502f007f3_Tue23d6fecf8c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4072 wrote to memory of 2796407261e7502f007f3_Tue23d6fecf8c.exe1630.tmp.exe
    PID 4072 wrote to memory of 2796407261e7502f007f3_Tue23d6fecf8c.exe1630.tmp.exe
    PID 4072 wrote to memory of 2796407261e7502f007f3_Tue23d6fecf8c.exe1630.tmp.exe
    PID 4072 wrote to memory of 3600407261e7502f007f3_Tue23d6fecf8c.exe2871.tmp.exe
    PID 4072 wrote to memory of 3600407261e7502f007f3_Tue23d6fecf8c.exe2871.tmp.exe
    PID 4072 wrote to memory of 3600407261e7502f007f3_Tue23d6fecf8c.exe2871.tmp.exe
    PID 4072 wrote to memory of 1584407261e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 4072 wrote to memory of 1584407261e7502f007f3_Tue23d6fecf8c.execmd.exe
    PID 4072 wrote to memory of 1584407261e7502f007f3_Tue23d6fecf8c.execmd.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Users\Admin\AppData\Roaming\1630.tmp.exe
      "C:\Users\Admin\AppData\Roaming\1630.tmp.exe"
      Executes dropped EXE
      PID:2796
    • C:\Users\Admin\AppData\Roaming\2871.tmp.exe
      "C:\Users\Admin\AppData\Roaming\2871.tmp.exe"
      Executes dropped EXE
      PID:3600
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e7502f007f3_Tue23d6fecf8c.exe" >> NUL
      PID:1584
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\1630.tmp.exe

                        MD5

                        446119332738133d3ecd2d00ebe5d0ec

                        SHA1

                        83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

                        SHA256

                        5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

                        SHA512

                        d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

                      • C:\Users\Admin\AppData\Roaming\1630.tmp.exe

                        MD5

                        446119332738133d3ecd2d00ebe5d0ec

                        SHA1

                        83c4c026ac8bffb9287a5b9ade2e93d4dcc50709

                        SHA256

                        5718e48ba5305adeea0390ca7cce071cc86f2c3d03560842f9067aad3d92193f

                        SHA512

                        d185fcd61861020ed6385650d4bbaeac9c6f4eba6e79164dce65cb96e4cac6360d9a49444fa0a4c1c01e5579eff495f82712d9b1e73d6d5f35a3459ac038600f

                      • C:\Users\Admin\AppData\Roaming\2871.tmp.exe

                        MD5

                        4d75dea49f6bd60f725fae9c28cd0960

                        SHA1

                        39875c55b440554253b32d581e1c1e01bd50eb90

                        SHA256

                        f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

                        SHA512

                        fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5

                      • C:\Users\Admin\AppData\Roaming\2871.tmp.exe

                        MD5

                        4d75dea49f6bd60f725fae9c28cd0960

                        SHA1

                        39875c55b440554253b32d581e1c1e01bd50eb90

                        SHA256

                        f780f1b37685e902aa4910e5a6d62c7a209f002f88c83598b30ca804f5f4e1f0

                        SHA512

                        fda61a9cc6a78b6949d4d959b090e84e09f1d41d0b63daa843e28a0666e6989adf25130787f91f5d9e0a3c37ed4bb0ba7b98ed54ac4a0236176124ba0baf9ce5

                      • memory/3600-134-0x00000000008A0000-0x00000000008CF000-memory.dmp