a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759

General

Target

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
Size

935KB
MD5

bba6ba82caeb5b34de59cd5a0e6a7695
SHA1

615d2d6f93d0354ddb853bc143ac6e7fe74a0193
SHA256

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759
SHA512

c46dd4a1a317db987740610639877af4ee7456e342800d5cd29bf31c848cc58252d5596f408233c234a40ab9bc05a483a6fd1ef1f942d073db45fbf387d16d29

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

service.exe

pid process

3224 service.exe

pid	process
3224	service.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exeservice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4888 schtasks.exe
4444 schtasks.exe

pid	process
4888	schtasks.exe
4444	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.execmd.exeservice.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 4180	3816	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 3816 wrote to memory of 4180	3816	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 3816 wrote to memory of 4180	3816	a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe	cmd.exe
PID 4180 wrote to memory of 4888	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4888	4180	cmd.exe	schtasks.exe
PID 4180 wrote to memory of 4888	4180	cmd.exe	schtasks.exe
PID 3224 wrote to memory of 3348	3224	service.exe	cmd.exe
PID 3224 wrote to memory of 3348	3224	service.exe	cmd.exe
PID 3224 wrote to memory of 3348	3224	service.exe	cmd.exe
PID 3348 wrote to memory of 4444	3348	cmd.exe	schtasks.exe
PID 3348 wrote to memory of 4444	3348	cmd.exe	schtasks.exe
PID 3348 wrote to memory of 4444	3348	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe
"C:\Users\Admin\AppData\Local\Temp\a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4888

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:4444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\service.exe
Filesize
935KB

MD5
bba6ba82caeb5b34de59cd5a0e6a7695

SHA1
615d2d6f93d0354ddb853bc143ac6e7fe74a0193

SHA256
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759

SHA512
c46dd4a1a317db987740610639877af4ee7456e342800d5cd29bf31c848cc58252d5596f408233c234a40ab9bc05a483a6fd1ef1f942d073db45fbf387d16d29

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe
Filesize
935KB

MD5
bba6ba82caeb5b34de59cd5a0e6a7695

SHA1
615d2d6f93d0354ddb853bc143ac6e7fe74a0193

SHA256
a67c355787e2c858ee6182fc7cf00ededee1016269b333b3bb793e31aab71759

SHA512
c46dd4a1a317db987740610639877af4ee7456e342800d5cd29bf31c848cc58252d5596f408233c234a40ab9bc05a483a6fd1ef1f942d073db45fbf387d16d29

Download Submit
memory/3348-134-0x0000000000000000-mapping.dmp

Download
memory/4180-130-0x0000000000000000-mapping.dmp

Download
memory/4444-135-0x0000000000000000-mapping.dmp

Download
memory/4888-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads