8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4

General

Target

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
Size

131KB
MD5

c9db89ba61448837bd75b73f5be395c1
SHA1

2175b61a4dbe404498228ec7b9e53890bf0e0b6b
SHA256

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4
SHA512

9d7e2259f5eb085e3929a69c4f3907b74c597e26462c7a7becf3ce191890e8f43b30d495a1f66d5028e3a13d07ce2dde0ada8d28cf52ee32026f2efe5e2d3cf4

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	83
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	83
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	83
PID 772 wrote to memory of 2280	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	34
PID 3500 wrote to memory of 2744	3500	cmd.exe	85
PID 3500 wrote to memory of 2744	3500	cmd.exe	85
PID 3500 wrote to memory of 2744	3500	cmd.exe	85
PID 772 wrote to memory of 2312	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	33
PID 772 wrote to memory of 2432	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	32
PID 772 wrote to memory of 744	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	22
PID 772 wrote to memory of 3252	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	21
PID 772 wrote to memory of 3348	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	20
PID 772 wrote to memory of 3424	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	19
PID 772 wrote to memory of 3516	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	80
PID 772 wrote to memory of 3848	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	79
PID 772 wrote to memory of 4052	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	76
PID 772 wrote to memory of 1672	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	71
PID 772 wrote to memory of 4880	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	70

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:744

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2312

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
"C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe" /f /reg:64
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2744