efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f

General

Target

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
Size

1.2MB
MD5

f241c791a6545537abcd28bc8392971c
SHA1

c53d8eaabbafc5bb990242fb97bb3cc4fe30e8ad
SHA256

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f
SHA512

7c2ce6250b89e8d71f0e795bba67ceb5e8b1034e33365dc9546e8187725cdb236eee788ee544d54261a696a408827d65b2fa38d52625c6795eac02b755503fe3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

frm_assemblerrutinernes.exefrm_assemblerrutinernes.exe

pid process

1828 frm_assemblerrutinernes.exe
1012 frm_assemblerrutinernes.exe

pid	process
1828	frm_assemblerrutinernes.exe
1012	frm_assemblerrutinernes.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe

Drops file in Windows directory 3 IoCs

Processes:

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exeefa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exefrm_assemblerrutinernes.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
File opened for modification	C:\Windows\win.ini	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
File opened for modification	C:\Windows\win.ini	frm_assemblerrutinernes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exeefa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exefrm_assemblerrutinernes.exefrm_assemblerrutinernes.exe

pid	process
916	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
4972	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
1828	frm_assemblerrutinernes.exe
1012	frm_assemblerrutinernes.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exeefa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exefrm_assemblerrutinernes.exe

description	pid	process	target process
PID 916 wrote to memory of 4972	916	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
PID 916 wrote to memory of 4972	916	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
PID 916 wrote to memory of 4972	916	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
PID 4972 wrote to memory of 1828	4972	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	frm_assemblerrutinernes.exe
PID 4972 wrote to memory of 1828	4972	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	frm_assemblerrutinernes.exe
PID 4972 wrote to memory of 1828	4972	efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe	frm_assemblerrutinernes.exe
PID 1828 wrote to memory of 1012	1828	frm_assemblerrutinernes.exe	frm_assemblerrutinernes.exe
PID 1828 wrote to memory of 1012	1828	frm_assemblerrutinernes.exe	frm_assemblerrutinernes.exe
PID 1828 wrote to memory of 1012	1828	frm_assemblerrutinernes.exe	frm_assemblerrutinernes.exe

C:\Users\Admin\AppData\Local\Temp\efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
"C:\Users\Admin\AppData\Local\Temp\efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe
"C:\Users\Admin\AppData\Local\Temp\efa98ba251a3da83fa3443007da3f63ee7bec8000bfa20baa45a3be561e8327f.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe
"C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe
"C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe
Filesize
1.2MB

MD5
3a49a8f0fb840e53eb1eaeae3bf9d2d0

SHA1
edb9c9f8744fc3f52bddd2956c4381c6708e047d

SHA256
73d374743dcd663cedcb61bb5464a3af25eda3d57b771d3899a1b6f7032fcdd6

SHA512
c1a4e236723f36fd93deced8bec373d2b2ea1ff823a5173d05b103b49c4b929951d959aea31478e2d3374e9d208764ac430bf3aa11f2f081d480104a41c45f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe
Filesize
1.2MB

MD5
3a49a8f0fb840e53eb1eaeae3bf9d2d0

SHA1
edb9c9f8744fc3f52bddd2956c4381c6708e047d

SHA256
73d374743dcd663cedcb61bb5464a3af25eda3d57b771d3899a1b6f7032fcdd6

SHA512
c1a4e236723f36fd93deced8bec373d2b2ea1ff823a5173d05b103b49c4b929951d959aea31478e2d3374e9d208764ac430bf3aa11f2f081d480104a41c45f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\frm_assemblerrutinernes.exe
Filesize
1.2MB

MD5
3a49a8f0fb840e53eb1eaeae3bf9d2d0

SHA1
edb9c9f8744fc3f52bddd2956c4381c6708e047d

SHA256
73d374743dcd663cedcb61bb5464a3af25eda3d57b771d3899a1b6f7032fcdd6

SHA512
c1a4e236723f36fd93deced8bec373d2b2ea1ff823a5173d05b103b49c4b929951d959aea31478e2d3374e9d208764ac430bf3aa11f2f081d480104a41c45f4b

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
C:\Windows\win.ini
Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/916-140-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/916-134-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/916-136-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/916-135-0x00007FFBD5B90000-0x00007FFBD5D85000-memory.dmp

Filesize
2.0MB

Download
memory/1012-152-0x0000000000000000-mapping.dmp

Download
memory/1828-146-0x0000000000000000-mapping.dmp

Download
memory/4972-142-0x00007FFBD5B90000-0x00007FFBD5D85000-memory.dmp

Filesize
2.0MB

Download
memory/4972-143-0x0000000076F41000-0x0000000077061000-memory.dmp

Filesize
1.1MB

Download
memory/4972-144-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/4972-145-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/4972-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads