5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132

General

Target

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
Size

353KB
MD5

11760101c2a5bda76688e8cfc93697d8
SHA1

23555e126c164e874b6fea7dade52d5df97a5fe1
SHA256

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132
SHA512

5be75743b383b3eb9de3d5cd9959634bc4dbeaff41821ac12c249b7fc2bd6426b727a53c667a393c862620e770eb9e380169eabe6abee1a07f26d38c03f2ea0a

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

taskmer.exetaskmer.exe

pid process

900 taskmer.exe
4596 taskmer.exe

pid	process
900	taskmer.exe
4596	taskmer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exetaskmer.exe

description	pid	process	target process
PID 4760 set thread context of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 900 set thread context of 4596	900	taskmer.exe	taskmer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4692 schtasks.exe

pid	process
4692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

taskmer.exe

pid	process
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe
4596	taskmer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exetaskmer.exe

description	pid	process
Token: SeDebugPrivilege	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
Token: SeDebugPrivilege	4596	taskmer.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exetaskmer.exe

description	pid	process	target process
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 4760 wrote to memory of 2484	4760	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
PID 2484 wrote to memory of 4692	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	schtasks.exe
PID 2484 wrote to memory of 4692	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	schtasks.exe
PID 2484 wrote to memory of 4692	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	schtasks.exe
PID 2484 wrote to memory of 900	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	taskmer.exe
PID 2484 wrote to memory of 900	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	taskmer.exe
PID 2484 wrote to memory of 900	2484	5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe
PID 900 wrote to memory of 4596	900	taskmer.exe	taskmer.exe

C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
"C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
"C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Local\Temp\lUz.xml" /tn "taskmer" /f
3⤵
- Creates scheduled task(s)
PID:4692

C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe
"C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe" C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe
"C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe" C:\Users\Admin\AppData\Local\Temp\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\taskmer.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUz.xml

Filesize
1KB

MD5
3204ec54ac81ee3c091f4b0fe196fbc4

SHA1
cf46add0a1fa1b55a977525e65818a5f7f1915e1

SHA256
95d84c2ee3eca6ad852de0968c34779206a03da62493bdc19f3b044557508431

SHA512
94c9a9500739fe9e5f881eb0a63b70cda9854a97135bab33cf9e29171a34577be31ab2bcfa514414834d87bd26659221cfe624562743a5ad0e46d2946b4ab0a1

Download Submit
C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe

Filesize
353KB

MD5
11760101c2a5bda76688e8cfc93697d8

SHA1
23555e126c164e874b6fea7dade52d5df97a5fe1

SHA256
5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132

SHA512
5be75743b383b3eb9de3d5cd9959634bc4dbeaff41821ac12c249b7fc2bd6426b727a53c667a393c862620e770eb9e380169eabe6abee1a07f26d38c03f2ea0a

Download Submit
C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe

Filesize
353KB

MD5
11760101c2a5bda76688e8cfc93697d8

SHA1
23555e126c164e874b6fea7dade52d5df97a5fe1

SHA256
5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132

SHA512
5be75743b383b3eb9de3d5cd9959634bc4dbeaff41821ac12c249b7fc2bd6426b727a53c667a393c862620e770eb9e380169eabe6abee1a07f26d38c03f2ea0a

Download Submit
C:\Users\Admin\AppData\Roaming\A0cIFZEhJ3\taskmer.exe

Filesize
353KB

MD5
11760101c2a5bda76688e8cfc93697d8

SHA1
23555e126c164e874b6fea7dade52d5df97a5fe1

SHA256
5481f1e3eeaff8ef203ed6e7321636e2bf5e76e2ccc0e89771d500ae1ba05132

SHA512
5be75743b383b3eb9de3d5cd9959634bc4dbeaff41821ac12c249b7fc2bd6426b727a53c667a393c862620e770eb9e380169eabe6abee1a07f26d38c03f2ea0a

Download Submit
memory/900-141-0x0000000000000000-mapping.dmp

Download
memory/900-152-0x0000000000542000-0x0000000000581000-memory.dmp

Filesize
252KB

Download
memory/900-151-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/900-146-0x0000000000542000-0x0000000000581000-memory.dmp

Filesize
252KB

Download
memory/900-145-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-144-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-133-0x0000000000000000-mapping.dmp

Download
memory/2484-138-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-147-0x0000000000000000-mapping.dmp

Download
memory/4596-153-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-154-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4596-155-0x0000000000C39000-0x0000000000C3F000-memory.dmp

Filesize
24KB

Download
memory/4692-139-0x0000000000000000-mapping.dmp

Download
memory/4760-131-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-136-0x0000000075220000-0x00000000757D1000-memory.dmp

Filesize
5.7MB

Download
memory/4760-132-0x0000000000711000-0x0000000000750000-memory.dmp

Filesize
252KB

Download
memory/4760-137-0x0000000000711000-0x0000000000750000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads