5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75

General

Target

5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
Size

854KB
MD5

7fe3d321806c1604e3e3908538bc8aa6
SHA1

571b55a5a0b478fd635b64bb12b20b64611fb2e3
SHA256

5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75
SHA512

7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1220	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2472	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
Token: SeDebugPrivilege	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
Token: SeDebugPrivilege	1220	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 1808 wrote to memory of 3536	1808	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	85
PID 3536 wrote to memory of 1220	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	93
PID 3536 wrote to memory of 1220	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	93
PID 3536 wrote to memory of 1220	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	93
PID 3536 wrote to memory of 3084	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	94
PID 3536 wrote to memory of 3084	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	94
PID 3536 wrote to memory of 3084	3536	5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe	94
PID 3084 wrote to memory of 2472	3084	cmd.exe	96
PID 3084 wrote to memory of 2472	3084	cmd.exe	96
PID 3084 wrote to memory of 2472	3084	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
"C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
  "C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe
    "C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe.log

Filesize
614B

MD5
3d2a3a481b7b5c27d792fa53189326e8

SHA1
2cbfd0dc21266826b3a07f19793fb0ee52115243

SHA256
12391de09526c63e91ad7657387cfe3db9c1ce254fc664cfded3a060455a7d8d

SHA512
3161ac3ade3cdb8c5d7310e587afe6b637b444e9918dea927170cf198eb4e2683059c1291e4690b5caa12ba25725888cf508b41effd814bb9ba21b559b31cf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Filesize
854KB

MD5
7fe3d321806c1604e3e3908538bc8aa6

SHA1
571b55a5a0b478fd635b64bb12b20b64611fb2e3

SHA256
5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75

SHA512
7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75\5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75.exe

Filesize
854KB

MD5
7fe3d321806c1604e3e3908538bc8aa6

SHA1
571b55a5a0b478fd635b64bb12b20b64611fb2e3

SHA256
5b0d0354ef4d8d2935ee93a858c3315a5730181775d162375242c5393b739a75

SHA512
7ad253c5851b689d564808ab39ea5de4919de0721040c3aad7355012e72184c934ec0aa1ac77f10f3fb03277b0f9c2f363cf026932b12798cbb5d017598086b8

Download Submit
memory/1220-145-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1220-144-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-134-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-130-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-131-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-136-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-135-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3536-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3536-142-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing