4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

General

Target

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Size

303KB
MD5

144539a65d10a6ed3df334866028ba79
SHA1

7d74cbaa4552b9468aaf079dab28b2bae29d1ae9
SHA256

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
SHA512

33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

app.exe

pid process

5072 app.exe

pid	process
5072	app.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: 33	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: SeIncBasePriorityPrivilege	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: SeDebugPrivilege	5072	app.exe
Token: 33	5072	app.exe
Token: SeIncBasePriorityPrivilege	5072	app.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.execmd.exe

description	pid	process	target process
PID 4072 wrote to memory of 4444	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4072 wrote to memory of 4444	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4072 wrote to memory of 4444	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4072 wrote to memory of 4496	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4072 wrote to memory of 4496	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4072 wrote to memory of 4496	4072	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 4496 wrote to memory of 5072	4496	cmd.exe	app.exe
PID 4496 wrote to memory of 5072	4496	cmd.exe	app.exe
PID 4496 wrote to memory of 5072	4496	cmd.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
"C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
2⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
memory/4072-130-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/4072-131-0x00000000078B0000-0x0000000007E54000-memory.dmp

Filesize
5.6MB

Download
memory/4072-132-0x0000000007410000-0x00000000074A2000-memory.dmp

Filesize
584KB

Download
memory/4444-133-0x0000000000000000-mapping.dmp

Download
memory/4496-134-0x0000000000000000-mapping.dmp

Download
memory/5072-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads