b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6

General

Target

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
Size

235KB
MD5

1f7f6928534ff002dbe843380d619e45
SHA1

5712a3cd5c72e2cfb648135a97850637ac9c4681
SHA256

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
SHA512

8ec6d3bd9d30f9b659bcf22d23e6985e5e88b7ef5b719f7e23250a18b267218bc0b62d5cf07b057fe5f3105228313385d33b3a63d75107ec44d7f519caf9a3b9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

drm.exedrm.exe

pid process

2764 drm.exe
4140 drm.exe

pid	process
2764	drm.exe
4140	drm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe

Drops startup file 1 IoCs

Processes:

drm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceSync.lnk drm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

drm.exe

description pid process target process

PID 2764 set thread context of 4140 2764 drm.exe drm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4896 4140 WerFault.exe drm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeviceSync.lnk	drm.exe

description	pid	process	target process
PID 2764 set thread context of 4140	2764	drm.exe	drm.exe

pid	pid_target	process	target process
4896	4140	WerFault.exe	drm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exe

pid	process
3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
2764	drm.exe
2764	drm.exe
2764	drm.exe
2764	drm.exe
2764	drm.exe
2764	drm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

drm.exe

description	pid	process
Token: SeDebugPrivilege	2764	drm.exe
Token: SeDebugPrivilege	2764	drm.exe
Token: SeDebugPrivilege	2764	drm.exe
Token: SeDebugPrivilege	2764	drm.exe
Token: SeDebugPrivilege	2764	drm.exe
Token: SeDebugPrivilege	2764	drm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exedrm.exe

description	pid	process	target process
PID 3944 wrote to memory of 2764	3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 3944 wrote to memory of 2764	3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 3944 wrote to memory of 2764	3944	b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe
PID 2764 wrote to memory of 4140	2764	drm.exe	drm.exe

C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe
"C:\Users\Admin\AppData\Local\Temp\b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\drm.exe
"C:\Users\Admin\AppData\Local\Temp\drm.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\drm.exe
C:\Users\Admin\AppData\Local\Temp\drm.exe
3⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 28
4⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4140 -ip 4140
1⤵
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\drm.exe
Filesize
38KB

MD5
103f7c56772b5463a51c4992d1a1289f

SHA1
5f533c02737904d12eea0e9f6042da1ed6691c27

SHA256
1787605b093fb88096cdb5c316ec335425096af34ab1006224b845a09482badc

SHA512
5e7e428e6ffc2095923f92e67b7707bc50c823d2ac2ad0a651eb6f7899e777650c95de2d2ec72e00cc7108f68a494b0ea246ebf48793a154cce403336d0b1c33

Download Submit
memory/2764-130-0x0000000000000000-mapping.dmp

Download
memory/2764-133-0x0000000076EF0000-0x0000000076FAF000-memory.dmp

Filesize
764KB

Download
memory/2764-134-0x0000000076E30000-0x0000000076EEF000-memory.dmp

Filesize
764KB

Download
memory/2764-135-0x0000000075940000-0x0000000075964000-memory.dmp

Filesize
144KB

Download
memory/2764-136-0x0000000077580000-0x0000000077723000-memory.dmp

Filesize
1.6MB

Download
memory/2764-138-0x0000000075EF0000-0x0000000075F6A000-memory.dmp

Filesize
488KB

Download
memory/4140-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads