2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a

General

Target

2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
Size

321KB
MD5

76f4437bbb7ea924e9cda33dec2919d3
SHA1

8befc8b4ce0266dec8e2e1d6e9aec882f1ae358e
SHA256

2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a
SHA512

b9a0882e07ee5c81444b5d57b69fa628cfe86d08a54e6df5d317444ba64334ef33f265540dcf3b231368ce505ac1bb9fe6b2f0a74b0b307a62d4f885821a1acf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 2720	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	87
PID 4980 wrote to memory of 2720	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	87
PID 4980 wrote to memory of 2720	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	87
PID 4980 wrote to memory of 3988	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	88
PID 4980 wrote to memory of 3988	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	88
PID 4980 wrote to memory of 3988	4980	2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe	88
PID 3988 wrote to memory of 1948	3988	cmd.exe	90
PID 3988 wrote to memory of 1948	3988	cmd.exe	90
PID 3988 wrote to memory of 1948	3988	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
"C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe
  "C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe"
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe.log

Filesize
771B

MD5
36c85b51fe803ac6009874a8f4a4879a

SHA1
b33dfa5c3cb416db33a167edad92d1e678fd6c5f

SHA256
b3d71b4a609a9b0e117b5b2acdfbb9b59d71aae2f27b5f9bc3f03796949dfb03

SHA512
e9efd16b585cbe747d46da115474a957e969b067c478628cae47bd84f13575a8d737f6256dd65907e05c3556e668a0deaf6a0393382815d799c3959233ec38eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Filesize
321KB

MD5
76f4437bbb7ea924e9cda33dec2919d3

SHA1
8befc8b4ce0266dec8e2e1d6e9aec882f1ae358e

SHA256
2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a

SHA512
b9a0882e07ee5c81444b5d57b69fa628cfe86d08a54e6df5d317444ba64334ef33f265540dcf3b231368ce505ac1bb9fe6b2f0a74b0b307a62d4f885821a1acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a\2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a.exe

Filesize
321KB

MD5
76f4437bbb7ea924e9cda33dec2919d3

SHA1
8befc8b4ce0266dec8e2e1d6e9aec882f1ae358e

SHA256
2188f5a214a324667b5a3f1eab091c9b3f6a92755b76613c215eff924df70c8a

SHA512
b9a0882e07ee5c81444b5d57b69fa628cfe86d08a54e6df5d317444ba64334ef33f265540dcf3b231368ce505ac1bb9fe6b2f0a74b0b307a62d4f885821a1acf

Download Submit
memory/2720-136-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/2720-138-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-130-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-131-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4980-140-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing