094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c

General

Target

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe
Size

170KB
MD5

00f926cd4948652e3a80c3994e4ec8be
SHA1

61bf4f8d8f9826b70bf730d4f84a584ee199325f
SHA256

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c
SHA512

d53edde17520f1512aa84dc1bf9d93c456c9cd037edb69c7f34dbbb4d9cad6a952b3a883c518ae70959b7285c930bd7b96b4939156e3e996ce2fad1a8d3fb51b

Score

7^/10

persistence

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

pid	process
1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe
1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

description pid process

Token: SeDebugPrivilege 1840 094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

description	pid	process
Token: SeDebugPrivilege	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.execmd.exe

description	pid	process	target process
PID 1840 wrote to memory of 2740	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	cmd.exe
PID 1840 wrote to memory of 2740	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	cmd.exe
PID 1840 wrote to memory of 2280	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	sihost.exe
PID 2740 wrote to memory of 3336	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 3336	2740	cmd.exe	reg.exe
PID 1840 wrote to memory of 2336	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	svchost.exe
PID 1840 wrote to memory of 2460	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	taskhostw.exe
PID 1840 wrote to memory of 508	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	svchost.exe
PID 1840 wrote to memory of 3272	1840	094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe	DllHost.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\094e91e2ae1cdd89fe7aaf9053e042cabcdb6eaf27789dd331802c08ae29fd1c.exe" /f
3⤵
- Adds Run key to start application
PID:3336