5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71

General

Target

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
Size

150KB
MD5

f763a2291bcb03be0e64bb3cd34b8424
SHA1

ce182b871f86dd2a54143288c559e9baa3e16b5c
SHA256

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71
SHA512

77850884db6a62e04f7eb0857ce16eefbe94dddd1451a8ad53a9a4bd3333e29aa1cb65e61550ab5517038fde928803246b8185b853cf1f62c462c55eaf71f647

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

pid	process
4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

description pid process

Token: SeDebugPrivilege 4596 5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

description	pid	process
Token: SeDebugPrivilege	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.execmd.exe

description	pid	process	target process
PID 4596 wrote to memory of 4780	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	cmd.exe
PID 4596 wrote to memory of 4780	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	cmd.exe
PID 4596 wrote to memory of 2340	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	sihost.exe
PID 4780 wrote to memory of 3292	4780	cmd.exe	reg.exe
PID 4780 wrote to memory of 3292	4780	cmd.exe	reg.exe
PID 4596 wrote to memory of 2356	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	svchost.exe
PID 4596 wrote to memory of 2472	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	taskhostw.exe
PID 4596 wrote to memory of 808	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	svchost.exe
PID 4596 wrote to memory of 3276	4596	5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe	DllHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:808

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe
"C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5cafcad96e19beddbb93716bdcf3b79cc83919bf556c7698dc5be2d0ed68cf71.exe" /f
3⤵
PID:3292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-130-0x00007FF7E4C50000-0x00007FF7E4FD9000-memory.dmp

Filesize
3.5MB

Download
memory/2356-131-0x00007FF7E4C50000-0x00007FF7E4FD9000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads