8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4

General

Target

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
Size

131KB
MD5

c9db89ba61448837bd75b73f5be395c1
SHA1

2175b61a4dbe404498228ec7b9e53890bf0e0b6b
SHA256

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4
SHA512

9d7e2259f5eb085e3929a69c4f3907b74c597e26462c7a7becf3ce191890e8f43b30d495a1f66d5028e3a13d07ce2dde0ada8d28cf52ee32026f2efe5e2d3cf4

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

pid	process
772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

description pid process

Token: SeDebugPrivilege 772 8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

description	pid	process
Token: SeDebugPrivilege	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.execmd.exe

description	pid	process	target process
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	cmd.exe
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	cmd.exe
PID 772 wrote to memory of 3500	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	cmd.exe
PID 772 wrote to memory of 2280	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	sihost.exe
PID 3500 wrote to memory of 2744	3500	cmd.exe	reg.exe
PID 3500 wrote to memory of 2744	3500	cmd.exe	reg.exe
PID 3500 wrote to memory of 2744	3500	cmd.exe	reg.exe
PID 772 wrote to memory of 2312	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	svchost.exe
PID 772 wrote to memory of 2432	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	taskhostw.exe
PID 772 wrote to memory of 744	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	svchost.exe
PID 772 wrote to memory of 3252	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	DllHost.exe
PID 772 wrote to memory of 3348	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	StartMenuExperienceHost.exe
PID 772 wrote to memory of 3424	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	RuntimeBroker.exe
PID 772 wrote to memory of 3516	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	SearchApp.exe
PID 772 wrote to memory of 3848	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	RuntimeBroker.exe
PID 772 wrote to memory of 4052	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	RuntimeBroker.exe
PID 772 wrote to memory of 1672	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	backgroundTaskHost.exe
PID 772 wrote to memory of 4880	772	8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe	RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:744

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2312

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4880

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe
"C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8442a6a136ea46c9c5815736b4ba8a12e7976a21d75c229198d42b1c7213bfe4.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2744