f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137

General

Target

f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe
Size

170KB
MD5

59b2dcab18d7209f127b8d06dc721290
SHA1

ff5cba050041cb1e4458ca786fd116416fe30c7a
SHA256

f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137
SHA512

40274c1d782d0abad5942a6ad4a2bfdeda33227570fe906851a01d2136f08e8e544d8592033352414ba18defb995269b39b758e5c9f700fe61b2cb82f1b0f49f

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe
3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 2004	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	85
PID 3132 wrote to memory of 2004	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	85
PID 3132 wrote to memory of 2344	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	19
PID 2004 wrote to memory of 1600	2004	cmd.exe	87
PID 2004 wrote to memory of 1600	2004	cmd.exe	87
PID 3132 wrote to memory of 2372	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	56
PID 3132 wrote to memory of 2468	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	55
PID 3132 wrote to memory of 1148	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	22
PID 3132 wrote to memory of 3248	3132	f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe	23

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3248

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe
"C:\Users\Admin\AppData\Local\Temp\f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f14c1098c7da73aa58e4476add20c1d554bfa127b03af18f4da4f6259dd30137.exe" /f
    3⤵
    PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-133-0x00007FF715CF0000-0x00007FF71607E000-memory.dmp

Filesize
3.6MB

Download
memory/2372-134-0x00007FF715CF0000-0x00007FF71607E000-memory.dmp

Filesize
3.6MB

Download
memory/2468-135-0x00007FF715CF0000-0x00007FF71607E000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing