155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a

General

Target

Setup_x32_x64.exe
Size

2.6MB
MD5

752b5d56168b131d484cc84222f26104
SHA1

f6adc3b4edc27649dc1d9e3dca9dd2bdfc5e6109
SHA256

155861db5cd0ff2110fbf198d8c969b9577f74024eee5e4a62d47bf1c3958b1a
SHA512

c904f69627b6e0d0a933970a1d43552843f1616b2a23f8b018f91e4ec7c0dd78d02db43e3a9406e97863595de07d8e4c8f6e42492b870655e49f7802533de5a5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Proxypub.exeFolder.exeLightCleaner532427.exe

pid process

1468 Proxypub.exe
2520 Folder.exe
3392 LightCleaner532427.exe

pid	process
1468	Proxypub.exe
2520	Folder.exe
3392	LightCleaner532427.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup_x32_x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Setup_x32_x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Setup_x32_x64.exe

description	pid	process	target process
PID 4128 wrote to memory of 1468	4128	Setup_x32_x64.exe	Proxypub.exe
PID 4128 wrote to memory of 1468	4128	Setup_x32_x64.exe	Proxypub.exe
PID 4128 wrote to memory of 1468	4128	Setup_x32_x64.exe	Proxypub.exe
PID 4128 wrote to memory of 4824	4128	Setup_x32_x64.exe	msedge.exe
PID 4128 wrote to memory of 4824	4128	Setup_x32_x64.exe	msedge.exe
PID 4128 wrote to memory of 2520	4128	Setup_x32_x64.exe	Folder.exe
PID 4128 wrote to memory of 2520	4128	Setup_x32_x64.exe	Folder.exe
PID 4128 wrote to memory of 2520	4128	Setup_x32_x64.exe	Folder.exe
PID 4128 wrote to memory of 3392	4128	Setup_x32_x64.exe	LightCleaner532427.exe
PID 4128 wrote to memory of 3392	4128	Setup_x32_x64.exe	LightCleaner532427.exe
PID 4128 wrote to memory of 3392	4128	Setup_x32_x64.exe	LightCleaner532427.exe
PID 4128 wrote to memory of 1668	4128	Setup_x32_x64.exe	Pinstall.exe
PID 4128 wrote to memory of 1668	4128	Setup_x32_x64.exe	Pinstall.exe
PID 4128 wrote to memory of 1668	4128	Setup_x32_x64.exe	Pinstall.exe

C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\Proxypub.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxypub.exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Btnm7
  2⤵
  PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3a6946f8,0x7fff3a694708,0x7fff3a694718
    3⤵
    PID:4576
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\LightCleaner532427.exe
  "C:\Users\Admin\AppData\Local\Temp\LightCleaner532427.exe"
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\Pinstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Pinstall.exe"
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Installation.exe"
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Crmg7
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff3a6946f8,0x7fff3a694708,0x7fff3a694718
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Folder.exe

MD5
3270df88da3ec170b09ab9a96b6febaf

SHA1
12fbdae8883b0afa6a9bdcfceafc76a76fd9ee0d

SHA256
141fe5acd7e2f8c36ede3817b9ab4a9e7b6a2ec9ce7d6328e60eb718694f1d22

SHA512
eed53f01e4c90620ca7819721f960393a5441280cb3b01911cf36c0337199bedc97d34140fc56816923132a709cdac57b3b6d061a6a3a3ec8e078255c40a1291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

MD5
3270df88da3ec170b09ab9a96b6febaf

SHA1
12fbdae8883b0afa6a9bdcfceafc76a76fd9ee0d

SHA256
141fe5acd7e2f8c36ede3817b9ab4a9e7b6a2ec9ce7d6328e60eb718694f1d22

SHA512
eed53f01e4c90620ca7819721f960393a5441280cb3b01911cf36c0337199bedc97d34140fc56816923132a709cdac57b3b6d061a6a3a3ec8e078255c40a1291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5
37b024569e7dc9228afef2f458eec152

SHA1
ca5a9762ea2ce737f89186682d5035cfd621ecd1

SHA256
52b5b11c6ea0e3444ba004b8cc826fbcdb9ec1d3844ac988867e5d506cf4ffe1

SHA512
2ad1b345a8b4b1edd5d82265cf6b83eb43e79f2b3744ce459856ab1b605f77eb966b2d4e55ea479823c8af8329af810a7f0a802e99e3eb6f12260a3f4a5aeeee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation.exe

MD5
788a85c0e0c8d794f05c2d92722d62db

SHA1
031d938cfbe9e001fc51e9ceadd27082fbe52c01

SHA256
18a52a5843ab328b05707f062ea8514ccabbc0152cc6bb9ee905c8cf563f0852

SHA512
f8cf410e0b9a59b0224c247ccdaec02118cd06bc16dcbff4418afb7ade80013c2f2c8b11d544b65474e28bc3d5aca5c4e06289b5d57e4fcdf80b7d46fd2f352f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LightCleaner532427.exe

MD5
4b7cce098b99d61b316e705596731d65

SHA1
6001d33d293c5140c5f6fecd6b6fc0dad9afd7d6

SHA256
9ebdc99536a89c87e9412b00c7aa67ce9cb26b63be79f8cadc95be3fcd553742

SHA512
99bf36b7c8f2ac728b57cb9e38b2ca7f7b5200497b5525f752f9b68c46aa53aa5979f484f1dfed78173472be07f354bb148eb47eee95e0d2a42bf68321cda1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pinstall.exe

MD5
f7dc41f0907f347a5e2f763edcf1d325

SHA1
268db92b5287c8d1c3178862e75be82147893c5b

SHA256
85388dc07a919a5df05aae4cf9f444baf326c24aa3a5a51d248a54af4519ae17

SHA512
25d057e80364cc8cf4c006188c73c547863c9d50911fcaf710d5e36c6367fb13b19e11cc7237fbb1521bdd1a272606678da1b3ad8f624e5c566ffbb427cad7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxypub.exe

MD5
18e7107ee52b58980736a05489ae959a

SHA1
a9cbf31406dc03466b3d269301e8a9dd7dc36b01

SHA256
c725d66b9dfb2f9950b605ff2c03f207ed2d2c50af8e53879af1161073f90463

SHA512
989caeb6bdc1d6947a90d054f84a8721fce45438070188ccb20560e1b1c06b528e90861acc718dd5351bd8216ced4cd6e48ff03126533a8705e1676f0b1dd033

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxypub.exe

MD5
18e7107ee52b58980736a05489ae959a

SHA1
a9cbf31406dc03466b3d269301e8a9dd7dc36b01

SHA256
c725d66b9dfb2f9950b605ff2c03f207ed2d2c50af8e53879af1161073f90463

SHA512
989caeb6bdc1d6947a90d054f84a8721fce45438070188ccb20560e1b1c06b528e90861acc718dd5351bd8216ced4cd6e48ff03126533a8705e1676f0b1dd033

Download Submit

Analysis

Sharing