18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1

General

Target

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Size

200KB
MD5

c8325c660ea72a8eb5281898f7a87f34
SHA1

dd318ffdd4b1081733dccf95cddb4e000814e005
SHA256

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1
SHA512

835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

YvrCxCd.exe

pid process

1280 YvrCxCd.exe

pid	process
1280	YvrCxCd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	YvrCxCd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exe

pid	process
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
1280	YvrCxCd.exe
1280	YvrCxCd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exeYvrCxCd.exe

description	pid	process
Token: SeDebugPrivilege	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Token: SeBackupPrivilege	1280	YvrCxCd.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exenet.exenet.exeYvrCxCd.exenet.exenet.exe

description	pid	process	target process
PID 2460 wrote to memory of 1280	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	YvrCxCd.exe
PID 2460 wrote to memory of 1280	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	YvrCxCd.exe
PID 2460 wrote to memory of 2344	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	sihost.exe
PID 2460 wrote to memory of 484	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	net.exe
PID 2460 wrote to memory of 484	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	net.exe
PID 2460 wrote to memory of 2372	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	svchost.exe
PID 2460 wrote to memory of 2216	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	net.exe
PID 2460 wrote to memory of 2216	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	net.exe
PID 484 wrote to memory of 3588	484	net.exe	net1.exe
PID 484 wrote to memory of 3588	484	net.exe	net1.exe
PID 2216 wrote to memory of 2324	2216	net.exe	net1.exe
PID 2216 wrote to memory of 2324	2216	net.exe	net1.exe
PID 2460 wrote to memory of 2468	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	taskhostw.exe
PID 2460 wrote to memory of 1148	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	svchost.exe
PID 1280 wrote to memory of 3584	1280	YvrCxCd.exe	net.exe
PID 1280 wrote to memory of 3584	1280	YvrCxCd.exe	net.exe
PID 3584 wrote to memory of 1576	3584	net.exe	net1.exe
PID 3584 wrote to memory of 1576	3584	net.exe	net1.exe
PID 1280 wrote to memory of 3024	1280	YvrCxCd.exe	net.exe
PID 1280 wrote to memory of 3024	1280	YvrCxCd.exe	net.exe
PID 3024 wrote to memory of 1116	3024	net.exe	net1.exe
PID 3024 wrote to memory of 1116	3024	net.exe	net1.exe
PID 2460 wrote to memory of 3248	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1148

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2372

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
"C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe
"C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:1576

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1116

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3588

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe
MD5
c8325c660ea72a8eb5281898f7a87f34

SHA1
dd318ffdd4b1081733dccf95cddb4e000814e005

SHA256
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1

SHA512
835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe
MD5
c8325c660ea72a8eb5281898f7a87f34

SHA1
dd318ffdd4b1081733dccf95cddb4e000814e005

SHA256
18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1

SHA512
835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c

Download Submit
memory/2344-135-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmp

Filesize
2.8MB

Download
memory/2372-136-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads