0e75d1b5b9113f26227b5a16dd13b5bcbbb31cddadf7558536227e2599d8e90b

General

Target

f7882ab56428fbde316becaebfa0939e.exe
Size

15.1MB
MD5

f7882ab56428fbde316becaebfa0939e
SHA1

579bfdb1f18cdcbb7fcb08d3988bf53dbb1011bb
SHA256

0e75d1b5b9113f26227b5a16dd13b5bcbbb31cddadf7558536227e2599d8e90b
SHA512

cfc33a7edec1eb80d680f3fb3e7d3b187e7eb4401463e24750a597f5d25c29d30bbefaf5338e6c13fa21001796e737c7212c6339eb0d4de149659abb0fe051f6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3364	Wuoudwmrceeq.exe
220	Wrxuaatupdate-kmv.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Wuoudwmrceeq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Wrxuaatupdate-kmv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	f7882ab56428fbde316becaebfa0939e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mcvksfoe\\RuntimeBroker.exe\""	Wuoudwmrceeq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqlwriter64 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nocbloced\\sqlwriter64.exe\""	Wrxuaatupdate-kmv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 1844	220	Wrxuaatupdate-kmv.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3364	Wuoudwmrceeq.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
372	powershell.exe
372	powershell.exe
4540	f7882ab56428fbde316becaebfa0939e.exe
4540	f7882ab56428fbde316becaebfa0939e.exe
1964	powershell.exe
1964	powershell.exe
2680	Explorer.EXE
2680	Explorer.EXE
3364	Wuoudwmrceeq.exe
1972	powershell.exe
1972	powershell.exe
2680	Explorer.EXE
2680	Explorer.EXE
220	Wrxuaatupdate-kmv.exe
220	Wrxuaatupdate-kmv.exe
220	Wrxuaatupdate-kmv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	f7882ab56428fbde316becaebfa0939e.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	3364	Wuoudwmrceeq.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeShutdownPrivilege	2680	Explorer.EXE
Token: SeCreatePagefilePrivilege	2680	Explorer.EXE
Token: SeDebugPrivilege	2680	Explorer.EXE
Token: SeShutdownPrivilege	2680	Explorer.EXE
Token: SeCreatePagefilePrivilege	2680	Explorer.EXE
Token: SeDebugPrivilege	220	Wrxuaatupdate-kmv.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	2680	Explorer.EXE
Token: SeCreatePagefilePrivilege	2680	Explorer.EXE
Token: SeShutdownPrivilege	2680	Explorer.EXE
Token: SeCreatePagefilePrivilege	2680	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 372	4540	f7882ab56428fbde316becaebfa0939e.exe	77
PID 4540 wrote to memory of 372	4540	f7882ab56428fbde316becaebfa0939e.exe	77
PID 4540 wrote to memory of 3364	4540	f7882ab56428fbde316becaebfa0939e.exe	80
PID 4540 wrote to memory of 3364	4540	f7882ab56428fbde316becaebfa0939e.exe	80
PID 3364 wrote to memory of 1964	3364	Wuoudwmrceeq.exe	81
PID 3364 wrote to memory of 1964	3364	Wuoudwmrceeq.exe	81
PID 4540 wrote to memory of 2680	4540	f7882ab56428fbde316becaebfa0939e.exe	54
PID 3364 wrote to memory of 220	3364	Wuoudwmrceeq.exe	83
PID 3364 wrote to memory of 220	3364	Wuoudwmrceeq.exe	83
PID 220 wrote to memory of 1972	220	Wrxuaatupdate-kmv.exe	84
PID 220 wrote to memory of 1972	220	Wrxuaatupdate-kmv.exe	84
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86
PID 220 wrote to memory of 1844	220	Wrxuaatupdate-kmv.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2680
- C:\Users\Admin\AppData\Local\Temp\f7882ab56428fbde316becaebfa0939e.exe
  "C:\Users\Admin\AppData\Local\Temp\f7882ab56428fbde316becaebfa0939e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- - C:\Users\Admin\AppData\Local\Temp\Wuoudwmrceeq.exe
    "C:\Users\Admin\AppData\Local\Temp\Wuoudwmrceeq.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\Wrxuaatupdate-kmv.exe
      "C:\Users\Admin\AppData\Local\Temp\Wrxuaatupdate-kmv.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA1AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bceb4532f88990f57e25894a5a0858f

SHA1
8b2f05d9ca2c99fcc6739f7d83db1601a2df67b0

SHA256
cf3df157548fbc2c84657b207d4a41cbff83c3ceee7e5227ab7437c2cd9346bd

SHA512
76026ec549bf388584f7e3cb34086f1a4915bfe535fc442e80a5ce8cb2d1082571153d689f78c575bd26c44fa642bbb53514e3211a7018d735a704016de84d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff36240565e31228e0ac3db37fc65b2d

SHA1
0d807e0adfb392f8c3e024dafd45132d48e85a06

SHA256
b75e2944e2b3cbc2bfcc7bccfe94acc3d67e176badd6909733ba8d462bb4f0c5

SHA512
0eefe5759e74b873473b16f387deb0264f5ea4e8addc08129f12306c7d630e63310db5376f82cdf602cffac69e3dccea986053b5511061d3f1157a8451b98ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrxuaatupdate-kmv.exe

Filesize
5.1MB

MD5
548b3c083dc843150679970cb38d6144

SHA1
a27b8bf86f4d79d4317d0096412ef2cca585e431

SHA256
57c94104863dae72ca86c7e0e177b8197b782ce729a1314a7791a4070748a3d5

SHA512
4860fc8085aa4663c0ec69648cfe482642403faa30aa0571fc218ebec42b18a40ee9e3e3dbe877d62c8215b82ddb11fd38975e0ad1f7cd3b907b85cc11d36348

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrxuaatupdate-kmv.exe

Filesize
5.1MB

MD5
548b3c083dc843150679970cb38d6144

SHA1
a27b8bf86f4d79d4317d0096412ef2cca585e431

SHA256
57c94104863dae72ca86c7e0e177b8197b782ce729a1314a7791a4070748a3d5

SHA512
4860fc8085aa4663c0ec69648cfe482642403faa30aa0571fc218ebec42b18a40ee9e3e3dbe877d62c8215b82ddb11fd38975e0ad1f7cd3b907b85cc11d36348

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wuoudwmrceeq.exe

Filesize
5.1MB

MD5
8815a29ce59d4e7ccea1f7a435099d66

SHA1
311d2e465af8ca22fde5346b29a01df8a9ed9309

SHA256
cb06dd10055a21e1dd9c499ad654da3607907af831a2f2fee6dde45027cbd3de

SHA512
26ccf1953ce5582b8f6b396fd53d78f6b52fff45472f0b3efc47d6c95e89355c167cc7eb39861c6233f8e4988271572387cd4299b26521dd675d82c35f646081

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wuoudwmrceeq.exe

Filesize
5.1MB

MD5
8815a29ce59d4e7ccea1f7a435099d66

SHA1
311d2e465af8ca22fde5346b29a01df8a9ed9309

SHA256
cb06dd10055a21e1dd9c499ad654da3607907af831a2f2fee6dde45027cbd3de

SHA512
26ccf1953ce5582b8f6b396fd53d78f6b52fff45472f0b3efc47d6c95e89355c167cc7eb39861c6233f8e4988271572387cd4299b26521dd675d82c35f646081

Download Submit
memory/220-176-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/220-163-0x00000266D9030000-0x00000266D9540000-memory.dmp

Filesize
5.1MB

Download
memory/220-164-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/220-171-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/372-137-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/372-134-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/372-136-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-177-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-174-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1964-147-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-159-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1964-150-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-167-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-173-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-172-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-156-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-157-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-158-0x000000000868A000-0x000000000868F000-memory.dmp

Filesize
20KB

Download
memory/3364-141-0x0000017A079E0000-0x0000017A07EF0000-memory.dmp

Filesize
5.1MB

Download
memory/3364-170-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/3364-142-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-149-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/3364-168-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/4540-148-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/4540-155-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/4540-146-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/4540-151-0x00007FFFD0270000-0x00007FFFD0465000-memory.dmp

Filesize
2.0MB

Download
memory/4540-130-0x000002330A0E0000-0x000002330AFF0000-memory.dmp

Filesize
15.1MB

Download
memory/4540-154-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-135-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-132-0x0000023328970000-0x0000023328992000-memory.dmp

Filesize
136KB

Download
memory/4540-131-0x00007FFFB2300000-0x00007FFFB2DC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing