98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79

General

Target

98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
Size

20KB
MD5

29bdeda415f10921646464768c72c009
SHA1

47a15db8eba3f8dec439f8ec430e869ca4731e04
SHA256

98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79
SHA512

418d666dc5f4dd571d713c5494f627620ad1e4ada20b68915872d3e3a5cfbba7e5fbfc74976151c4334c4d27208a9a51440aaf16f635471d3df70cf3c4b8ea6b
SSDEEP

384:DBNHCOqmHMyD6XTHfz0lv30PNApPAyuOgsnR+HLE4GebEmimTHDun:DDiOqZy2XT/QJ0PNer4GegmDfun

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4444	BAA.exe
4856	BBB.exe
1268	AAA.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	BBB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	BAA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	BBB.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5104	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
4444	BAA.exe
4856	BBB.exe
1268	AAA.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4444	5104	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	79
PID 5104 wrote to memory of 4444	5104	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	79
PID 5104 wrote to memory of 4444	5104	98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe	79
PID 4444 wrote to memory of 4856	4444	BAA.exe	80
PID 4444 wrote to memory of 4856	4444	BAA.exe	80
PID 4444 wrote to memory of 4856	4444	BAA.exe	80
PID 4856 wrote to memory of 1268	4856	BBB.exe	81
PID 4856 wrote to memory of 1268	4856	BBB.exe	81
PID 4856 wrote to memory of 1268	4856	BBB.exe	81

C:\Users\Admin\AppData\Local\Temp\98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe
"C:\Users\Admin\AppData\Local\Temp\98cfcd33db1fd838f6dbaa818a3a8a5825a2ad0bf9d7783a7a2d86e54cb5ec79.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\BAA.exe
  "C:\Users\Admin\AppData\Local\Temp\BAA.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\BBB.exe
    "C:\Users\Admin\AppData\Local\Temp\BBB.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Users\Admin\AppData\Local\Temp\AAA.exe
      "C:\Users\Admin\AppData\Local\Temp\AAA.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAA.exe

Filesize
20KB

MD5
ca4c9143e1fbfcba0319f2a95d8def71

SHA1
4ee82aff1cc19d7db08b26c611392998b4fe7c8d

SHA256
efacd53902bf48368b2a29b2b9c2a1bfb815fd7fe2a188fc27f2b6083fc71ae8

SHA512
c84d707f56ed2f34fd82245dc8353d1ade324ec28f36ec32deb31043fffca183ead56d57f140b2eb4b56a283fd7920ca4243f6cb5283f30278e5fccc63962183

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAA.exe

Filesize
20KB

MD5
1147ba533cb38e7b9a0b0117df1926d7

SHA1
aeb5957af81452b0f10eb679c8f3f06ecb297ac9

SHA256
87435b93e8ae8b4713a3596027797e6ab7bc7541be7ab38c0639ef6a5ab22a8f

SHA512
f2f555cb809b12dc9a195356228bbe2a2a306d1f8bc82e6c68e051f1588be15e2826e23c4b07da2730e27c38cd2c5d23ab4f1807a0ba020486557aaa1e19ba1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBB.exe

Filesize
20KB

MD5
9dcb9a446b89714157b7a4c0555aef71

SHA1
093b1a4c8b1bcca1c3bacf697fd1a699fecc6fe9

SHA256
3f2775dcc24a85a8b1d1450b1f2d62976a250b8a921e84b6fc2a1722df5d13e6

SHA512
5522f69464ec0ff8e0f5a1fc6ae3c97ec5ce6aa2b96157c9f3d39b776538a2acec61873b23caf3429f56f11dd92bfe03893d2cd869c4ec358ea21b522c13e29c

Download Submit

Analysis

Sharing