eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

General

Target

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
Size

198KB
MD5

721204e947131cf3c04e506c4ec9dbf2
SHA1

e2e53a822b0731abfd9f8c503e70d62573f7aced
SHA256

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c
SHA512

5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

aQthdNa.exe

pid process

4108 aQthdNa.exe

pid	process
4108	aQthdNa.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exeaQthdNa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	aQthdNa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exeaQthdNa.exe

pid	process
5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
4108	aQthdNa.exe
4108	aQthdNa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exeaQthdNa.exe

description	pid	process
Token: SeDebugPrivilege	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
Token: SeBackupPrivilege	4108	aQthdNa.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exenet.exenet.exeaQthdNa.exenet.exenet.exe

description	pid	process	target process
PID 5092 wrote to memory of 4108	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	aQthdNa.exe
PID 5092 wrote to memory of 4108	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	aQthdNa.exe
PID 5092 wrote to memory of 2364	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	sihost.exe
PID 5092 wrote to memory of 908	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	net.exe
PID 5092 wrote to memory of 908	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	net.exe
PID 5092 wrote to memory of 3448	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	net.exe
PID 5092 wrote to memory of 3448	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	net.exe
PID 908 wrote to memory of 2236	908	net.exe	net1.exe
PID 908 wrote to memory of 2236	908	net.exe	net1.exe
PID 5092 wrote to memory of 2396	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	svchost.exe
PID 3448 wrote to memory of 2176	3448	net.exe	net1.exe
PID 3448 wrote to memory of 2176	3448	net.exe	net1.exe
PID 5092 wrote to memory of 2648	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	taskhostw.exe
PID 4108 wrote to memory of 3992	4108	aQthdNa.exe	net.exe
PID 4108 wrote to memory of 3992	4108	aQthdNa.exe	net.exe
PID 3992 wrote to memory of 2232	3992	net.exe	net1.exe
PID 3992 wrote to memory of 2232	3992	net.exe	net1.exe
PID 4108 wrote to memory of 4208	4108	aQthdNa.exe	net.exe
PID 4108 wrote to memory of 4208	4108	aQthdNa.exe	net.exe
PID 4208 wrote to memory of 2656	4208	net.exe	net1.exe
PID 4208 wrote to memory of 2656	4208	net.exe	net1.exe
PID 5092 wrote to memory of 3080	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	svchost.exe
PID 5092 wrote to memory of 3248	5092	eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe	DllHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2396

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe
"C:\Users\Admin\AppData\Local\Temp\eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\aQthdNa.exe
  "C:\Users\Admin\AppData\Local\Temp\aQthdNa.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:2232
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2656
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:2236
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aQthdNa.exe

Filesize
198KB

MD5
721204e947131cf3c04e506c4ec9dbf2

SHA1
e2e53a822b0731abfd9f8c503e70d62573f7aced

SHA256
eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

SHA512
5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQthdNa.exe

Filesize
198KB

MD5
721204e947131cf3c04e506c4ec9dbf2

SHA1
e2e53a822b0731abfd9f8c503e70d62573f7aced

SHA256
eb0106ddaa84ba85fdaba5df923df7ecdc612a90e1268e031923266fa17eef4c

SHA512
5305069b9ba53fdb89487ac4b6f062bbd10f83300e8fd4562a18f140bc11055e960013550055b4e58148339596cc8d849b709e3c0b0ddc830e85d8f3d2405405

Download Submit
memory/908-133-0x0000000000000000-mapping.dmp

Download
memory/2176-137-0x0000000000000000-mapping.dmp

Download
memory/2232-139-0x0000000000000000-mapping.dmp

Download
memory/2236-136-0x0000000000000000-mapping.dmp

Download
memory/2364-134-0x00007FF7EEC80000-0x00007FF7EEF59000-memory.dmp

Filesize
2.8MB

Download
memory/2656-141-0x0000000000000000-mapping.dmp

Download
memory/3448-135-0x0000000000000000-mapping.dmp

Download
memory/3992-138-0x0000000000000000-mapping.dmp

Download
memory/4108-130-0x0000000000000000-mapping.dmp

Download
memory/4208-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads