f7e9080ca25ee0e68a9f7b1557dd8e5ebed57777c83186742ab3489706c30b21

General

Target

tmp.exe
Size

3.8MB
MD5

af472706053409a5478d0fe3a71c601b
SHA1

b4226313a464857f5a5ee2bc7ba976c23ee44729
SHA256

f7e9080ca25ee0e68a9f7b1557dd8e5ebed57777c83186742ab3489706c30b21
SHA512

5a23bd12d8eefdf06203c9d7fce9efa95092159f084cae79d27811699c21067783d7afe5350cbf2a26e0852d8bb009b5656b5e672a40b6bbe872b6d5283eb1ed

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp.tmp

pid process

4648 tmp.tmp
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmp.tmp
Loads dropped DLL 1 IoCs

Processes:

tmp.tmp

pid process

4648 tmp.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tmp.tmp

pid process

4648 tmp.tmp
4648 tmp.tmp
4648 tmp.tmp
4648 tmp.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.tmp

description pid process

Token: SeDebugPrivilege 4648 tmp.tmp
Token: SeDebugPrivilege 4648 tmp.tmp

pid	process
4648	tmp.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	tmp.tmp

pid	process
4648	tmp.tmp

pid	process
4648	tmp.tmp
4648	tmp.tmp
4648	tmp.tmp
4648	tmp.tmp

description	pid	process
Token: SeDebugPrivilege	4648	tmp.tmp
Token: SeDebugPrivilege	4648	tmp.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exetmp.tmpnet.exe

description	pid	process	target process
PID 4780 wrote to memory of 4648	4780	tmp.exe	tmp.tmp
PID 4780 wrote to memory of 4648	4780	tmp.exe	tmp.tmp
PID 4780 wrote to memory of 4648	4780	tmp.exe	tmp.tmp
PID 4648 wrote to memory of 1048	4648	tmp.tmp	net.exe
PID 4648 wrote to memory of 1048	4648	tmp.tmp	net.exe
PID 4648 wrote to memory of 1048	4648	tmp.tmp	net.exe
PID 1048 wrote to memory of 1544	1048	net.exe	net1.exe
PID 1048 wrote to memory of 1544	1048	net.exe	net1.exe
PID 1048 wrote to memory of 1544	1048	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\is-4J8SJ.tmp\tmp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4J8SJ.tmp\tmp.tmp" /SL5="$1301FA,3722629,56832,C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop routerService
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop routerService
4⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-4J8SJ.tmp\tmp.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4J8SJ.tmp\tmp.tmp
Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDHQK.tmp\uninstall.dll
Filesize
375KB

MD5
5efac3416a1e01008e3b3fe3f0cc17f5

SHA1
f803065bf98b7f7449897f90ae666ad0cd8a9e4b

SHA256
81816fcbaa62d9a89bf27ab2e2eb0b3fe0201f83d2139fda491708e7456ab0ba

SHA512
ce90b01e2696156743527be8bb5f098a748d405a9b6f783c41d5f0c2b312d7945d9bb4dc95c5504e7795ec348ad7ec0697f9ff2ed3495256340714be1e6733fe

Download Submit
memory/1048-137-0x0000000000000000-mapping.dmp

Download
memory/1544-138-0x0000000000000000-mapping.dmp

Download
memory/4648-132-0x0000000000000000-mapping.dmp

Download
memory/4780-130-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4780-136-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing