41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a

General

Target

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe
Size

263KB
MD5

594e681165d7f6a566cae99cf29b02ea
SHA1

d2bcd07d94be4fbbcc87df9d9e5c69340a897cc0
SHA256

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a
SHA512

c3e720ac73e29beef0ca3f4998e9ce0d5e2784defe0401836d8f1171c10126cf16432c86e28d63bf97a78f929937d3582b7aee85f43c046e5ba2d3cab46e3f67

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

WindowsFormsApplication3.exeConsoleApplication4.exeClient.exe

pid process

1156 WindowsFormsApplication3.exe
1532 ConsoleApplication4.exe
1220 Client.exe

pid	process
1156	WindowsFormsApplication3.exe
1532	ConsoleApplication4.exe
1220	Client.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exeConsoleApplication4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ConsoleApplication4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exeConsoleApplication4.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe
Token: SeDebugPrivilege	1532	ConsoleApplication4.exe
Token: SeDebugPrivilege	1220	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exeConsoleApplication4.exe

description	pid	process	target process
PID 3396 wrote to memory of 1156	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	WindowsFormsApplication3.exe
PID 3396 wrote to memory of 1156	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	WindowsFormsApplication3.exe
PID 3396 wrote to memory of 1156	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	WindowsFormsApplication3.exe
PID 3396 wrote to memory of 1532	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	ConsoleApplication4.exe
PID 3396 wrote to memory of 1532	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	ConsoleApplication4.exe
PID 3396 wrote to memory of 1532	3396	41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe	ConsoleApplication4.exe
PID 1532 wrote to memory of 1220	1532	ConsoleApplication4.exe	Client.exe
PID 1532 wrote to memory of 1220	1532	ConsoleApplication4.exe	Client.exe
PID 1532 wrote to memory of 1220	1532	ConsoleApplication4.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe
"C:\Users\Admin\AppData\Local\Temp\41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\WindowsFormsApplication3.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApplication3.exe"
2⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe

Filesize
178KB

MD5
d33203f0e96e4f56a91e203e709d5f84

SHA1
1090bdad8a5e0febbe9422cc3247e1c4319c0521

SHA256
d0b71e3a7679f7c55b72954fdc0f86d5a5d29b87ae00961c43f0d6ddfd8e8c30

SHA512
ff5bc8ba89b0931df8d471c1c246b5d2cb71cc2bbf70ce357f52eaa4319acff7f6b90a20f2f27cfc9d2877e363b58324ab5876a1858ba7f84052a199aad9dbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication4.exe

Filesize
178KB

MD5
d33203f0e96e4f56a91e203e709d5f84

SHA1
1090bdad8a5e0febbe9422cc3247e1c4319c0521

SHA256
d0b71e3a7679f7c55b72954fdc0f86d5a5d29b87ae00961c43f0d6ddfd8e8c30

SHA512
ff5bc8ba89b0931df8d471c1c246b5d2cb71cc2bbf70ce357f52eaa4319acff7f6b90a20f2f27cfc9d2877e363b58324ab5876a1858ba7f84052a199aad9dbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApplication3.exe

Filesize
8KB

MD5
a609ff22165a3794ad71643628d67cb9

SHA1
0a2a289f5be48e2927734ae0e545b2bab143bce8

SHA256
6b9a200617b48fa8478674058fcc63c98e48235003bdf423f644feb1696bd2d7

SHA512
748bace7e7e15cb2441bcc5c0ce998978284d64ab5df933342189804d57d922d1af3e8b261ea1a38a60ad2973ff83cc191b0a047ac30708d10750276f2f1c50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsFormsApplication3.exe

Filesize
8KB

MD5
a609ff22165a3794ad71643628d67cb9

SHA1
0a2a289f5be48e2927734ae0e545b2bab143bce8

SHA256
6b9a200617b48fa8478674058fcc63c98e48235003bdf423f644feb1696bd2d7

SHA512
748bace7e7e15cb2441bcc5c0ce998978284d64ab5df933342189804d57d922d1af3e8b261ea1a38a60ad2973ff83cc191b0a047ac30708d10750276f2f1c50a

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
178KB

MD5
d33203f0e96e4f56a91e203e709d5f84

SHA1
1090bdad8a5e0febbe9422cc3247e1c4319c0521

SHA256
d0b71e3a7679f7c55b72954fdc0f86d5a5d29b87ae00961c43f0d6ddfd8e8c30

SHA512
ff5bc8ba89b0931df8d471c1c246b5d2cb71cc2bbf70ce357f52eaa4319acff7f6b90a20f2f27cfc9d2877e363b58324ab5876a1858ba7f84052a199aad9dbae

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
178KB

MD5
d33203f0e96e4f56a91e203e709d5f84

SHA1
1090bdad8a5e0febbe9422cc3247e1c4319c0521

SHA256
d0b71e3a7679f7c55b72954fdc0f86d5a5d29b87ae00961c43f0d6ddfd8e8c30

SHA512
ff5bc8ba89b0931df8d471c1c246b5d2cb71cc2bbf70ce357f52eaa4319acff7f6b90a20f2f27cfc9d2877e363b58324ab5876a1858ba7f84052a199aad9dbae

Download Submit
memory/1156-142-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/1156-136-0x0000000000000000-mapping.dmp

Download
memory/1220-145-0x0000000000000000-mapping.dmp

Download
memory/1532-139-0x0000000000000000-mapping.dmp

Download
memory/1532-143-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download
memory/1532-144-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/3396-130-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/3396-135-0x00000000051F0000-0x0000000005246000-memory.dmp

Filesize
344KB

Download
memory/3396-134-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/3396-133-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/3396-132-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/3396-131-0x0000000002810000-0x00000000028AC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads