13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa

General

Target

13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe
Size

908KB
MD5

7da36a4223890501fc0615bdb3f17733
SHA1

1733cefc70d77674576bda99985d2f5f4be2548f
SHA256

13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa
SHA512

36d3913d43925afb2e1238b253925541643263ff30eb350a86f7f262f0993141292b820e228e9f5179fb702c46f68b0b48237c9fe3f0b579c43389a8f289d486

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2100	lrn.exe
2800	lrn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lrn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\36348926\\lrn.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\36348926\\CDA_NI~1"	lrn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 3636	2800	lrn.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2580	3636	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	lrn.exe
2100	lrn.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2100	2076	13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe	79
PID 2076 wrote to memory of 2100	2076	13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe	79
PID 2076 wrote to memory of 2100	2076	13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe	79
PID 2100 wrote to memory of 2800	2100	lrn.exe	81
PID 2100 wrote to memory of 2800	2100	lrn.exe	81
PID 2100 wrote to memory of 2800	2100	lrn.exe	81
PID 2800 wrote to memory of 3636	2800	lrn.exe	82
PID 2800 wrote to memory of 3636	2800	lrn.exe	82
PID 2800 wrote to memory of 3636	2800	lrn.exe	82
PID 2800 wrote to memory of 3636	2800	lrn.exe	82

C:\Users\Admin\AppData\Local\Temp\13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe
"C:\Users\Admin\AppData\Local\Temp\13ff98387aa00e52536cdf8f9d62faab11e96e23867039cbecd4cae8400901aa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe
  "C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe" cda=nit
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe
    C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe C:\Users\Admin\AppData\Local\Temp\36348926\MUKMY
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 80
        5⤵
        Program crash
        
        PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3636 -ip 3636
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\36348926\MUKMY

Filesize
87KB

MD5
189ced6103f44fd592dc5874406c2af5

SHA1
09d943e70c450dfa5ee63157cd7cbc3282989e11

SHA256
04ce9bf452fcba95aa9f05d6255d96574f3d8d52020784fbe26e5b6b63d3b40f

SHA512
6e4d081547522c1ef1a8489f4cd19d79f061b97d8d8f51bb2ea7bae36093f06603484838aa46f3aa4d30c6f7958f2aac40e98d9228281e9a2ea6229a7b8ca896

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\cda=nit

Filesize
186KB

MD5
ba126ed0c4c9961a5d3223926f401a19

SHA1
4f63f722cd5b055e90a9edf9cc86646272b4faf3

SHA256
a2b4a12b44abc846216eddb606ac3fe7a643d8683908b2e5b3015a429a008edf

SHA512
1d458ed74e13f95226bf696305f2f19d344c20b9d1be0a41c2ddf3ab779eee528b65ff21bb70945c861fb6997842e807296528bf0a102269c948a3ac92a41d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\lrn.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\qgx.docx

Filesize
386B

MD5
62f82fe697011a65721706e0c347721a

SHA1
c12935a2ed99810cb645d59ff26de77d92ac19a4

SHA256
c1cd4bc0f70bfb29fabb95ad78cd89fabd96d75cba9e138f0f59bd0e5de55001

SHA512
41812069cfc14509cc0d267d500a8e336141da4cd5070adce8bb1c8e7749f80a89d08fabdb3e738aeafb611b70d1fb62fa93a9e9f965ed70780b60c492220709

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\wne.ppt

Filesize
640KB

MD5
a908977558e8ce5174e5cf4fb04fd13b

SHA1
3a5fa655d842ad7eca141e557c68174ed73f913c

SHA256
5e84f3b7895534dd30fb237cccd9ded37a5c7d96d7c70f8ffdb009a27254df4a

SHA512
43b4679082e7e177dd9241d176247e66867094e29ff41f06b5baf121369aeb6b3f8cfbdad5a8ea2566467b8d20f39185a7d61077cb1ccaabb4ed0f8021c2e36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\36348926\xsa.mp3

Filesize
291B

MD5
f63b4ebed8db86aae405e261fd5229cc

SHA1
50471884816f8ccec667fd8d5afccd5d00de6ca6

SHA256
f089331d05086b5d3caf5511ef86b285a2e8830ecbc27b36aed64973da882312

SHA512
5caf6d145747f112eba521d8ee34d930a52891450d997ec2da80ce9ee1a6f22576cc774e12eaebf8e7e0c8c277207a4e7772b45200f46b5012e9a51775028959

Download Submit

Analysis

Sharing