d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59

General

Target

d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe
Size

147KB
MD5

ef372e7d0490bce48f6c11fe9f6c96c2
SHA1

7ad646e6654e982d10c0bd6d9941476064800ebe
SHA256

d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59
SHA512

a9b0b45ddd4089b73897592162c947f6e8e1dbce5ee5548294b3dde7f2b06aa23c8fb10be947282514fdacdc1eabdc252ef7c24c11f5b3d87212c35f49212f36

Score

7^/10

persistence

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe
1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4860	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	83
PID 1712 wrote to memory of 4860	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	83
PID 1712 wrote to memory of 2432	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	52
PID 4860 wrote to memory of 4180	4860	cmd.exe	85
PID 4860 wrote to memory of 4180	4860	cmd.exe	85
PID 1712 wrote to memory of 2444	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	51
PID 1712 wrote to memory of 2592	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	48
PID 1712 wrote to memory of 3104	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	42
PID 1712 wrote to memory of 3304	1712	d4422c4f4a26aecad6e754dd172278305bacfa7d5ff285f6a74ed6c610307d59.exe	41

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2444