aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84

General

Target

aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe
Size

1.9MB
MD5

8fcb6c71b701108f369a9d5e0f04019c
SHA1

589f090b1794dc04b5da625d022f391d508bf147
SHA256

aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84
SHA512

5926d40a844935efa265dc9c2e75566f4ddd6af8da92923b2fbc26397e3c71703ad090824021e0ab115f53916e7f5b9bb0a3ea8cf3c0d58ddc8c7d3f88d3cfa8
SSDEEP

49152:tLIY9OVlrSAupNfpOQb656SrP0rgq0VRGvryBDbauAJECeJ/:tdOV5SvLfpOuhSQcUDU/gJECeJ/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1748	111.exe
1012	NetPachisi.exe
1296	111.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	111.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	111.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	1296	WerFault.exe	85

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}	111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\ = "Provides IWpdSerializer helper methods for portable devices drivers"	111.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\InprocServer32	111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\PortableDeviceTypes.dll"	111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\InprocServer32\ThreadingModel = "Both"	111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\lzySFpzP = "_YoLQvmCDNaXgnPZlwaQEp@eJMutlagzoBEim}FBCzrf^YyTZlB[QEo\|V{hr{WQ\|BGPGXpRxxCF[byfI^[~tdBbj{`"	111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7CBA76D-D7CB-A76D-D7CB-A76DD7CBA76D}\lzySFpzP = "_YoLQvmCDNaXgnPZlwaQEp@eJMutlagzoBEim}FBCzrj^YyTZnnsNVg`Wz\\v{WQaCHdBq^eGOYVHcTNKa{mHGAscg]F}mtt"	111.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1296	111.exe
Token: SeIncBasePriorityPrivilege	1296	111.exe
Token: 33	1296	111.exe
Token: SeIncBasePriorityPrivilege	1296	111.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1012	NetPachisi.exe
1296	111.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 1748	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	83
PID 2868 wrote to memory of 1748	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	83
PID 2868 wrote to memory of 1748	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	83
PID 2868 wrote to memory of 1012	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	84
PID 2868 wrote to memory of 1012	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	84
PID 2868 wrote to memory of 1012	2868	aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe	84
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85
PID 1748 wrote to memory of 1296	1748	111.exe	85

C:\Users\Admin\AppData\Local\Temp\aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe
"C:\Users\Admin\AppData\Local\Temp\aba96ef4c1eff287485d1267211fdcccbd345cd221b8df9b02a5a31212873c84.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\111.exe
  "C:\Users\Admin\AppData\Local\Temp\111.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\111.exe
    "C:\Users\Admin\AppData\Local\Temp\111.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 900
      4⤵
      Program crash
      PID:4572
- C:\Users\Admin\AppData\Local\Temp\NetPachisi.exe
  "C:\Users\Admin\AppData\Local\Temp\NetPachisi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1296 -ip 1296
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\111.exe

Filesize
1.2MB

MD5
793868e7f3fd47ecb67638e2d764f600

SHA1
01489ffb5977c0b547f9020468b921828c7a1e1e

SHA256
315ac8e4b38bebb20f89d3cfbe52449f23653d5c0dffcd1fc76ad973c6724089

SHA512
33721d9c56d7f0f37fc1d443474c59921d5c50813e9b3341d6ecd3140b2d1f8a74db54a280aed475fbd8b27cb45f6de0301fbd9fcb7d9a5618fcf299951c0a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\111.exe

Filesize
1.2MB

MD5
793868e7f3fd47ecb67638e2d764f600

SHA1
01489ffb5977c0b547f9020468b921828c7a1e1e

SHA256
315ac8e4b38bebb20f89d3cfbe52449f23653d5c0dffcd1fc76ad973c6724089

SHA512
33721d9c56d7f0f37fc1d443474c59921d5c50813e9b3341d6ecd3140b2d1f8a74db54a280aed475fbd8b27cb45f6de0301fbd9fcb7d9a5618fcf299951c0a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\111.exe

Filesize
1.2MB

MD5
793868e7f3fd47ecb67638e2d764f600

SHA1
01489ffb5977c0b547f9020468b921828c7a1e1e

SHA256
315ac8e4b38bebb20f89d3cfbe52449f23653d5c0dffcd1fc76ad973c6724089

SHA512
33721d9c56d7f0f37fc1d443474c59921d5c50813e9b3341d6ecd3140b2d1f8a74db54a280aed475fbd8b27cb45f6de0301fbd9fcb7d9a5618fcf299951c0a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetPachisi.exe

Filesize
952KB

MD5
9f82f07d412d2749b03c5ce5c4bc5308

SHA1
8be350216219b1648d4c9ba2a19512e788a2383f

SHA256
c15d64ecb52fb9abcbef7a1870ab2d4dbbc3b01bfa2f54d5c141b7c6c7ca1937

SHA512
28c5411ea018cdfc911cd5c33a0552e5a5530d8bd51e1360eba2d7cf5e4d249e668ccf4012f6469e57c07ea445257cc595db1c1eda803b2cc5a6b4aa65d78285

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetPachisi.exe

Filesize
952KB

MD5
9f82f07d412d2749b03c5ce5c4bc5308

SHA1
8be350216219b1648d4c9ba2a19512e788a2383f

SHA256
c15d64ecb52fb9abcbef7a1870ab2d4dbbc3b01bfa2f54d5c141b7c6c7ca1937

SHA512
28c5411ea018cdfc911cd5c33a0552e5a5530d8bd51e1360eba2d7cf5e4d249e668ccf4012f6469e57c07ea445257cc595db1c1eda803b2cc5a6b4aa65d78285

Download Submit
memory/1012-136-0x0000000000000000-mapping.dmp

Download
memory/1296-150-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1296-156-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1296-160-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/1296-145-0x00000000005C0000-0x0000000000609000-memory.dmp

Filesize
292KB

Download
memory/1296-158-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1296-151-0x00000000005C1000-0x00000000005F0000-memory.dmp

Filesize
188KB

Download
memory/1296-152-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1296-153-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/1296-154-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1296-155-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1296-142-0x0000000000000000-mapping.dmp

Download
memory/1748-132-0x0000000000000000-mapping.dmp

Download
memory/1748-135-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1748-161-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads