18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1

General

Target

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Size

200KB
MD5

c8325c660ea72a8eb5281898f7a87f34
SHA1

dd318ffdd4b1081733dccf95cddb4e000814e005
SHA256

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1
SHA512

835ae5c5740c8a17973cb0e4265bd93925f59abdacdeb17b9d9eb53a3776c48ed7cfc0f5c044f9adf61be4d86f40059c6bca755faf3e9716bd46dc9dab6f328c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1280	YvrCxCd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	YvrCxCd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
1280	YvrCxCd.exe
1280	YvrCxCd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
Token: SeBackupPrivilege	1280	YvrCxCd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1280	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	84
PID 2460 wrote to memory of 1280	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	84
PID 2460 wrote to memory of 2344	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	50
PID 2460 wrote to memory of 484	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	85
PID 2460 wrote to memory of 484	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	85
PID 2460 wrote to memory of 2372	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	49
PID 2460 wrote to memory of 2216	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	88
PID 2460 wrote to memory of 2216	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	88
PID 484 wrote to memory of 3588	484	net.exe	90
PID 484 wrote to memory of 3588	484	net.exe	90
PID 2216 wrote to memory of 2324	2216	net.exe	92
PID 2216 wrote to memory of 2324	2216	net.exe	92
PID 2460 wrote to memory of 2468	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	48
PID 2460 wrote to memory of 1148	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	38
PID 1280 wrote to memory of 3584	1280	YvrCxCd.exe	93
PID 1280 wrote to memory of 3584	1280	YvrCxCd.exe	93
PID 3584 wrote to memory of 1576	3584	net.exe	95
PID 3584 wrote to memory of 1576	3584	net.exe	95
PID 1280 wrote to memory of 3024	1280	YvrCxCd.exe	96
PID 1280 wrote to memory of 3024	1280	YvrCxCd.exe	96
PID 3024 wrote to memory of 1116	3024	net.exe	98
PID 3024 wrote to memory of 1116	3024	net.exe	98
PID 2460 wrote to memory of 3248	2460	18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe	37

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1148

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2372

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe
"C:\Users\Admin\AppData\Local\Temp\18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe
  "C:\Users\Admin\AppData\Local\Temp\YvrCxCd.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:1576
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:1116
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3588
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-135-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmp

Filesize
2.8MB

Download
memory/2372-136-0x00007FF7A0AB0000-0x00007FF7A0D89000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing