32dd0a80090ae3af8bd00fd8babf21fe4a769805e0ee4632114d50268bbd1127

General

Target

order 20- 0011718..exe
Size

426KB
MD5

583a510813764348af0c5c3d2b6f9385
SHA1

be80f78c782d612fca9128cdfefc9b324ae653eb
SHA256

aec020a6546f4efe2d5766ae7e7da2816c11badee1879d37de7845538b03035b
SHA512

b82acd5b8e864c0b83be494d88cd97f891cd1a5e47acbb5a425af353d3c9e7d868be10da0fd0c568de1e3478460be690ff0b648865b7f136983b434ce24fe32e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

order 20- 0011718..exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	order 20- 0011718..exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3652 schtasks.exe

pid	process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

order 20- 0011718..exe

pid	process
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe
2772	order 20- 0011718..exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

order 20- 0011718..exe

description pid process

Token: SeDebugPrivilege 2772 order 20- 0011718..exe

description	pid	process
Token: SeDebugPrivilege	2772	order 20- 0011718..exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

order 20- 0011718..exe

description	pid	process	target process
PID 2772 wrote to memory of 3652	2772	order 20- 0011718..exe	schtasks.exe
PID 2772 wrote to memory of 3652	2772	order 20- 0011718..exe	schtasks.exe
PID 2772 wrote to memory of 3652	2772	order 20- 0011718..exe	schtasks.exe
PID 2772 wrote to memory of 5028	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 5028	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 5028	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 3488	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 3488	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 3488	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 4052	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 4052	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 4052	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2232	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2232	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2232	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2292	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2292	2772	order 20- 0011718..exe	order 20- 0011718..exe
PID 2772 wrote to memory of 2292	2772	order 20- 0011718..exe	order 20- 0011718..exe

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AaLebGET" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FB.tmp"
2⤵
- Creates scheduled task(s)
PID:3652

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"{path}"
2⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"{path}"
2⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"{path}"
2⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"{path}"
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\order 20- 0011718..exe
"{path}"
2⤵
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5FB.tmp
Filesize
1KB

MD5
4d0ba98876f17d87636dd32c8133293f

SHA1
192bb21b71b5014d1d78636193b18d2115991d56

SHA256
401df05d30961042b7665e67d5017dfaa673184fb88332f0993793da555effa0

SHA512
5d03a691d1e24dbe0ced55d0614dc6900b812e2498fe3da1bb18821f6aa5588400612afd107f642fbac994409021f8e81b5fc1de97bca6f773695b0346a67175

Download Submit
memory/2232-139-0x0000000000000000-mapping.dmp

Download
memory/2292-140-0x0000000000000000-mapping.dmp

Download
memory/2772-130-0x0000000000960000-0x00000000009D0000-memory.dmp

Filesize
448KB

Download
memory/2772-131-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/2772-132-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/2772-133-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download
memory/3488-137-0x0000000000000000-mapping.dmp

Download
memory/3652-134-0x0000000000000000-mapping.dmp

Download
memory/4052-138-0x0000000000000000-mapping.dmp

Download
memory/5028-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads