32bf6396ba19b940a778f7ab4f62dd79ac1ddbf65524f9c11631b0f7690af0bc

General

Target

c5097f98c49b1a92ae0cb6171a63b42d.exe
Size

1.7MB
MD5

c5097f98c49b1a92ae0cb6171a63b42d
SHA1

88f2248464b44c0916e504a2bceee893445cc018
SHA256

32bf6396ba19b940a778f7ab4f62dd79ac1ddbf65524f9c11631b0f7690af0bc
SHA512

49fad1ea39107ba36b7940b82d5f54e02c87f45ddecdbdf1f70bd27d804086fa168b0b429b92e53529feb1db08dd1f27510898d3ca29f69fb831ffbcb13cc19a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4044	Componenthost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c5097f98c49b1a92ae0cb6171a63b42d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	c5097f98c49b1a92ae0cb6171a63b42d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	Componenthost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 432	3576	c5097f98c49b1a92ae0cb6171a63b42d.exe	85
PID 3576 wrote to memory of 432	3576	c5097f98c49b1a92ae0cb6171a63b42d.exe	85
PID 3576 wrote to memory of 432	3576	c5097f98c49b1a92ae0cb6171a63b42d.exe	85
PID 432 wrote to memory of 2628	432	WScript.exe	86
PID 432 wrote to memory of 2628	432	WScript.exe	86
PID 432 wrote to memory of 2628	432	WScript.exe	86
PID 2628 wrote to memory of 4044	2628	cmd.exe	90
PID 2628 wrote to memory of 4044	2628	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\c5097f98c49b1a92ae0cb6171a63b42d.exe
"C:\Users\Admin\AppData\Local\Temp\c5097f98c49b1a92ae0cb6171a63b42d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\reviewsession\zAvG1KO.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\reviewsession\7STcmfjAW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\reviewsession\Componenthost.exe
      "C:\reviewsession\Componenthost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\reviewsession\7STcmfjAW.bat

Filesize
47B

MD5
eaf2aeee3c0af2abf7be90d5c22e1d32

SHA1
b8fbefc94fd39337c2bf217871c2c7a02f84c7d4

SHA256
61e1ff88b2cee31c8785a632ddb5d9bf80c85c3b073a3fd200e2307958d516d5

SHA512
d2d51515cbfada7839c688f9a736555da9f3459e957b3a23d41fdb7545539381b5e548cd64bc14f478cd70ae48b6b1d48192dda90dddab6f1eb960b101af8e0e

Download Submit
C:\reviewsession\Componenthost.exe

Filesize
1.4MB

MD5
126c2a884085e32f86ff4deb9fdc05cb

SHA1
fd4a7752bec9d3ed9ddd8caa97fdcca84a408fb4

SHA256
951da0c5e00929fccc85508b71545b79717f9ccade9225051124c3d3fc5a858f

SHA512
824f203cb13682f0f511021cda1557205f112ff8832ace651277301a11e4e6d99721a2aab9b3c901f7ab7f13aa35f64b0d0abcbf1f7b4f0c533a596e61081e3c

Download Submit
C:\reviewsession\Componenthost.exe

Filesize
1.4MB

MD5
126c2a884085e32f86ff4deb9fdc05cb

SHA1
fd4a7752bec9d3ed9ddd8caa97fdcca84a408fb4

SHA256
951da0c5e00929fccc85508b71545b79717f9ccade9225051124c3d3fc5a858f

SHA512
824f203cb13682f0f511021cda1557205f112ff8832ace651277301a11e4e6d99721a2aab9b3c901f7ab7f13aa35f64b0d0abcbf1f7b4f0c533a596e61081e3c

Download Submit
C:\reviewsession\zAvG1KO.vbe

Filesize
210B

MD5
d51938e9e3e392c7304d2d9946b98b47

SHA1
5ae9bfb7be659102507e368e051aa6ccf1c0bd4e

SHA256
ae4d75a6e3d65b854e5fc1b37d9637251db25a3f5b7e5275705c426a69c26061

SHA512
ab262c582e35cd235f800b65690a70d761d321088847d1db216857a62751b41efc879f8228793eee8080961f13b878363f188520c264b70b36d3f53039cbbe4e

Download Submit
memory/4044-137-0x0000000000E10000-0x0000000000F76000-memory.dmp

Filesize
1.4MB

Download
memory/4044-138-0x00007FFB0F8F0000-0x00007FFB103B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing