e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961

General

Target

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
Size

546KB
MD5

0d8d14b3e6739610579cbcec8bcad92e
SHA1

5c5c5c3bc5b9277cd9a0483b7cd8ec6f85355b4c
SHA256

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961
SHA512

dcc70688bb2d3cf8feeaf6492955ebb3789dd954da6b1a4c688750032f64e1cf114f4f3497fab1bc330587fa3746c30c9250a01400242d8514eeb10076a8db24

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

psr.exe

pid process

1828 psr.exe

pid	process
1828	psr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe

Loads dropped DLL 2 IoCs

Processes:

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exepsr.exe

pid process

2612 e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
1828 psr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgc = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\psr.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exepsr.exe

pid	process
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
1828	psr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exepsr.exe

description	pid	process
Token: SeDebugPrivilege	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
Token: SeDebugPrivilege	1828	psr.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.execmd.exepsr.exe

description	pid	process	target process
PID 2612 wrote to memory of 2244	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	cmd.exe
PID 2612 wrote to memory of 2244	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	cmd.exe
PID 2612 wrote to memory of 2244	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	cmd.exe
PID 2244 wrote to memory of 3100	2244	cmd.exe	reg.exe
PID 2244 wrote to memory of 3100	2244	cmd.exe	reg.exe
PID 2244 wrote to memory of 3100	2244	cmd.exe	reg.exe
PID 2612 wrote to memory of 1828	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	psr.exe
PID 2612 wrote to memory of 1828	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	psr.exe
PID 2612 wrote to memory of 1828	2612	e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe	psr.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe
PID 1828 wrote to memory of 4056	1828	psr.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe
"C:\Users\Admin\AppData\Local\Temp\e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v fgc /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\psr.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v fgc /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\psr.exe"
3⤵
- Adds Run key to start application
PID:3100

C:\Users\Admin\psr.exe
"C:\Users\Admin\psr.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\19f93e2a-4d97-4e0c-ade5-972e41ee6cf8\f.dll
Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\psr.exe
Filesize
546KB

MD5
0d8d14b3e6739610579cbcec8bcad92e

SHA1
5c5c5c3bc5b9277cd9a0483b7cd8ec6f85355b4c

SHA256
e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961

SHA512
dcc70688bb2d3cf8feeaf6492955ebb3789dd954da6b1a4c688750032f64e1cf114f4f3497fab1bc330587fa3746c30c9250a01400242d8514eeb10076a8db24

Download Submit
C:\Users\Admin\psr.exe
Filesize
546KB

MD5
0d8d14b3e6739610579cbcec8bcad92e

SHA1
5c5c5c3bc5b9277cd9a0483b7cd8ec6f85355b4c

SHA256
e3dc0ebb79c5497c927c15b67ea203ca2860681e3e8b063f91fec264193c5961

SHA512
dcc70688bb2d3cf8feeaf6492955ebb3789dd954da6b1a4c688750032f64e1cf114f4f3497fab1bc330587fa3746c30c9250a01400242d8514eeb10076a8db24

Download Submit
memory/1828-138-0x0000000000000000-mapping.dmp

Download
memory/1828-143-0x00000000737F0000-0x0000000073879000-memory.dmp

Filesize
548KB

Download
memory/2244-136-0x0000000000000000-mapping.dmp

Download
memory/2612-130-0x00000000005C0000-0x000000000064E000-memory.dmp

Filesize
568KB

Download
memory/2612-135-0x00000000737F0000-0x0000000073879000-memory.dmp

Filesize
548KB

Download
memory/2612-133-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2612-132-0x0000000005040000-0x0000000005084000-memory.dmp

Filesize
272KB

Download
memory/2612-131-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/3100-137-0x0000000000000000-mapping.dmp

Download
memory/4056-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads