da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5

General

Target

44e407b3de4a9865ab747bdca810b0b9.exe
Size

606KB
MD5

44e407b3de4a9865ab747bdca810b0b9
SHA1

6eb199e6837432d8acb98c03b22277f340726372
SHA256

da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5
SHA512

db8e1652a6e8d90450114641f3573b9423bce4c27c237af49a59dc44acf929580cdf59e5c216391ef87c27c52fc610653d19bce2d1507e4d8f310b7d6dee8a4b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44e407b3de4a9865ab747bdca810b0b9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	44e407b3de4a9865ab747bdca810b0b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3988 schtasks.exe

pid	process
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

44e407b3de4a9865ab747bdca810b0b9.exepowershell.exe

pid	process
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
3932	powershell.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
1352	44e407b3de4a9865ab747bdca810b0b9.exe
3932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

44e407b3de4a9865ab747bdca810b0b9.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1352 44e407b3de4a9865ab747bdca810b0b9.exe
Token: SeDebugPrivilege 3932 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	44e407b3de4a9865ab747bdca810b0b9.exe
Token: SeDebugPrivilege	3932	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

44e407b3de4a9865ab747bdca810b0b9.exe

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RhFYnHFgJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E7E.tmp"
2⤵
- Creates scheduled task(s)
PID:3988

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
2⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
2⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\44e407b3de4a9865ab747bdca810b0b9.exe"
2⤵
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4E7E.tmp
Filesize
1KB

MD5
450c21e6372482b8a6105b10a0f2e3ee

SHA1
98bd581bb9348368d8fd9e1919914df1a93fee50

SHA256
877e64554eb01ac849091ab51d3f3cb708f3ddc69fc5aebce5f1eee2beaa43c8

SHA512
9f57f8db0684e13f5d00c8727b196c4719673e396d1aeaac143b4916280c1b8201d44bbb4a36f2acd5afab55f72981cb37e16cc84aee11a211b12546a87f9833

Download Submit
memory/1184-143-0x0000000000000000-mapping.dmp

Download
memory/1352-131-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-132-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/1352-133-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/1352-134-0x000000000ADF0000-0x000000000AE8C000-memory.dmp

Filesize
624KB

Download
memory/1352-135-0x000000000AEE0000-0x000000000AF46000-memory.dmp

Filesize
408KB

Download
memory/1352-130-0x0000000000030000-0x00000000000CE000-memory.dmp

Filesize
632KB

Download
memory/1568-142-0x0000000000000000-mapping.dmp

Download
memory/2876-144-0x0000000000000000-mapping.dmp

Download
memory/3932-150-0x0000000075660000-0x00000000756AC000-memory.dmp

Filesize
304KB

Download
memory/3932-153-0x0000000006E90000-0x0000000006EAA000-memory.dmp

Filesize
104KB

Download
memory/3932-140-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/3932-138-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/3932-158-0x00000000071B0000-0x00000000071B8000-memory.dmp

Filesize
32KB

Download
memory/3932-157-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/3932-146-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/3932-147-0x0000000004E60000-0x0000000004EC6000-memory.dmp

Filesize
408KB

Download
memory/3932-148-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/3932-149-0x0000000006150000-0x0000000006182000-memory.dmp

Filesize
200KB

Download
memory/3932-151-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/3932-136-0x0000000000000000-mapping.dmp

Download
memory/3932-152-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/3932-156-0x00000000070C0000-0x00000000070CE000-memory.dmp

Filesize
56KB

Download
memory/3932-154-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/3932-155-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/3972-145-0x0000000000000000-mapping.dmp

Download
memory/3988-137-0x0000000000000000-mapping.dmp

Download
memory/4324-141-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1352 wrote to memory of 3932	1352	44e407b3de4a9865ab747bdca810b0b9.exe	powershell.exe
PID 1352 wrote to memory of 3932	1352	44e407b3de4a9865ab747bdca810b0b9.exe	powershell.exe
PID 1352 wrote to memory of 3932	1352	44e407b3de4a9865ab747bdca810b0b9.exe	powershell.exe
PID 1352 wrote to memory of 3988	1352	44e407b3de4a9865ab747bdca810b0b9.exe	schtasks.exe
PID 1352 wrote to memory of 3988	1352	44e407b3de4a9865ab747bdca810b0b9.exe	schtasks.exe
PID 1352 wrote to memory of 3988	1352	44e407b3de4a9865ab747bdca810b0b9.exe	schtasks.exe
PID 1352 wrote to memory of 4324	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 4324	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 4324	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1568	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1568	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1568	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1184	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1184	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 1184	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 2876	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 2876	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 2876	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 3972	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 3972	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe
PID 1352 wrote to memory of 3972	1352	44e407b3de4a9865ab747bdca810b0b9.exe	44e407b3de4a9865ab747bdca810b0b9.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads