9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f

General

Target

87953bdf18ba88061cf28ad17116b56f.exe
Size

1.9MB
MD5

87953bdf18ba88061cf28ad17116b56f
SHA1

bc04b30d0e7ca0fc34b1d507ab4b991e0cc5dbc6
SHA256

9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f
SHA512

19d8520c62da97a0a793c1f9eb17ae5865ea3d6d9e4734ac5e4069c864f52fccf06d5961c136095c73e7ee6c3ce1e9ae0038f32e8941f5aa2599327111b386c3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87953bdf18ba88061cf28ad17116b56f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	87953bdf18ba88061cf28ad17116b56f.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

1856 regsvr32.exe
1856 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1856	regsvr32.exe
1856	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

87953bdf18ba88061cf28ad17116b56f.exe

description	pid	process	target process
PID 2772 wrote to memory of 1856	2772	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 2772 wrote to memory of 1856	2772	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe
PID 2772 wrote to memory of 1856	2772	87953bdf18ba88061cf28ad17116b56f.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe
"C:\Users\Admin\AppData\Local\Temp\87953bdf18ba88061cf28ad17116b56f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K
2⤵
- Loads dropped DLL
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V8NgH.K
Filesize
681.1MB

MD5
116f558ce26d856dda8875228d40cd64

SHA1
aa9e683d1bd584029679b8a6463e11b30a13190d

SHA256
7dae8703accc936872ac739653b7829a78c28fd8a5ce8e17deb10810e5c634d8

SHA512
b3865844e4717cd1849924bc82214f1ff289971c1c5b49e02e9af611264e06ec0f13adebbf2c3631537b36a250083087754b1b45a7a5f48a179e0becf7e0267f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8NgH.K
Filesize
682.8MB

MD5
dec75150ae1a88326cfbba1ad4d90345

SHA1
65b35717ab19045a80017968c353880aa01fe08f

SHA256
346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7

SHA512
3d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8NgH.K
Filesize
682.8MB

MD5
dec75150ae1a88326cfbba1ad4d90345

SHA1
65b35717ab19045a80017968c353880aa01fe08f

SHA256
346f5d0021dbd8ffeb55fb83e6841c6442c8720c615cba5b9b2e469d1306d6b7

SHA512
3d319e1438b1af5900df98dc05e443d0bfb8e0a008d0e145a430fb0c8dfd0fe9864da94f9c4ed3194633daf7ca6fb1aef71ffda8b8fc64e962050808a7d35ebd

Download Submit
memory/1856-131-0x0000000000000000-mapping.dmp

Download
memory/1856-135-0x0000000002100000-0x0000000003100000-memory.dmp

Filesize
16.0MB

Download
memory/1856-136-0x000000002D100000-0x000000002D1DF000-memory.dmp

Filesize
892KB

Download
memory/1856-137-0x000000002D2A0000-0x000000002D35B000-memory.dmp

Filesize
748KB

Download
memory/1856-138-0x000000002D360000-0x000000002D414000-memory.dmp

Filesize
720KB

Download
memory/1856-139-0x000000002D420000-0x000000002D4C0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing