73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

General

Target

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
Size

202KB
MD5

c49c19e172c2c6f8390bd26258557b18
SHA1

641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512

a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

KuMihCH.exe

pid process

4204 KuMihCH.exe

pid	process
4204	KuMihCH.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

pid	process
2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

description pid process

Token: SeDebugPrivilege 2700 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

description	pid	process
Token: SeDebugPrivilege	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exenet.exenet.exe

description	pid	process	target process
PID 2700 wrote to memory of 4204	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	KuMihCH.exe
PID 2700 wrote to memory of 4204	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	KuMihCH.exe
PID 2700 wrote to memory of 2396	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	sihost.exe
PID 2700 wrote to memory of 3816	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 2700 wrote to memory of 3816	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 2700 wrote to memory of 1608	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 2700 wrote to memory of 1608	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	net.exe
PID 3816 wrote to memory of 1320	3816	net.exe	net1.exe
PID 3816 wrote to memory of 1320	3816	net.exe	net1.exe
PID 2700 wrote to memory of 2424	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	svchost.exe
PID 1608 wrote to memory of 2364	1608	net.exe	net1.exe
PID 1608 wrote to memory of 2364	1608	net.exe	net1.exe
PID 2700 wrote to memory of 2508	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	taskhostw.exe
PID 2700 wrote to memory of 3104	2700	73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
"C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1320

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
MD5
c49c19e172c2c6f8390bd26258557b18

SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a

SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
MD5
c49c19e172c2c6f8390bd26258557b18

SHA1
641d8da9c08060b04fc63b07c61e1c891d5d393a

SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

SHA512
a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

Download Submit
memory/2396-132-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp

Filesize
1.5MB

Download
memory/2424-133-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads