2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9

General

Target

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
Size

668KB
MD5

897f3c7d741c4d5c7fc96f322a6f5a6a
SHA1

9738e0d5982f1a2255d7a72dc580bc85c554569e
SHA256

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
SHA512

30c433ff994848289cac9f500b7428b1bc06b119fb3260b0f48e5de0f2f841275ffbfab978d947b23f050acad647dd01925c33ddca9c2fa80cc9d9e50cb0c620

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4288	RE.exe
2276	RE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
File opened for modification	C:\Windows\win.ini	RE.exe
File opened for modification	C:\Windows\win.ini	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
448	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
1108	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
4288	RE.exe
2276	RE.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1108	448	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	80
PID 448 wrote to memory of 1108	448	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	80
PID 448 wrote to memory of 1108	448	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	80
PID 1108 wrote to memory of 4288	1108	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	81
PID 1108 wrote to memory of 4288	1108	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	81
PID 1108 wrote to memory of 4288	1108	2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe	81
PID 4288 wrote to memory of 2276	4288	RE.exe	82
PID 4288 wrote to memory of 2276	4288	RE.exe	82
PID 4288 wrote to memory of 2276	4288	RE.exe	82

C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
"C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe
  "C:\Users\Admin\AppData\Local\Temp\2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\RE.exe
    "C:\Users\Admin\AppData\Local\Temp\RE.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\RE.exe
      "C:\Users\Admin\AppData\Local\Temp\RE.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.exe

Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.exe

Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.exe

Filesize
668KB

MD5
a85d322ed1f218ec54a4ef535e21e252

SHA1
1de64fced9d1c5a395123fc0bf638876647b05a7

SHA256
2ad07d0a5ba265081bf61fe18f9d38b3c22b3b00dbe62541d0c145e613536301

SHA512
0fc41797d5d78425298ba8abe546c11104d87a5e66ac2a178f75cbf1c17c2faefe2bdc9141f600d4ba1927f1bf258b74be4f2b20ac94ea398dc5dc8cf9cff2aa

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/448-138-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/448-136-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/448-135-0x00007FFC747F0000-0x00007FFC749E5000-memory.dmp

Filesize
2.0MB

Download
memory/1108-139-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/1108-140-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/1108-141-0x00007FFC747F0000-0x00007FFC749E5000-memory.dmp

Filesize
2.0MB

Download
memory/1108-145-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download
memory/4288-153-0x00007FFC747F0000-0x00007FFC749E5000-memory.dmp

Filesize
2.0MB

Download
memory/4288-154-0x0000000077500000-0x00000000776A3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing