26d8b87662a550b768641080e8250b5db8cb2838c07e8515ad08d784fb962bbb

General

Target

Install[1432].exe
Size

2.9MB
MD5

efd2ec4b3881fb8c53fc555078071092
SHA1

60c74af1505aa163849521bd28bb64de0cb68cc7
SHA256

26d8b87662a550b768641080e8250b5db8cb2838c07e8515ad08d784fb962bbb
SHA512

18491c0b84307fe6ebeb520ce5595d8b58f573b00da4c82f3fe0aeeeb0ec5fbf51bd7b0b642beed6db71e1ad8bf7cd2e6a8deb91cacafeeca61297a5d1f495dc
SSDEEP

49152:MN8Uh3gzfFzGMttpsYb28mBRz1TirCc6Ao1gAyFhhUDSuXi320vNmvYU8o:M6Uh3gzoMttpsYxmBRz1Taa7ydUU20vg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3964	LWE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Install[1432].exe

Loads dropped DLL 2 IoCs

pid	Process
3964	LWE.exe
3964	LWE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	LWE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LWE Start = "C:\\Windows\\MGQRJU\\LWE.exe"	LWE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\MGQRJU\LWE.exe	Install[1432].exe
File created	C:\Windows\MGQRJU\LWE.00	Install[1432].exe
File created	C:\Windows\MGQRJU\LWE.01	Install[1432].exe
File created	C:\Windows\MGQRJU\LWE.02	Install[1432].exe
File opened for modification	C:\Windows\MGQRJU\	LWE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3964	LWE.exe
3964	LWE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	LWE.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe
3964	LWE.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3964	1544	Install[1432].exe	75
PID 1544 wrote to memory of 3964	1544	Install[1432].exe	75
PID 1544 wrote to memory of 3964	1544	Install[1432].exe	75

C:\Users\Admin\AppData\Local\Temp\Install[1432].exe
"C:\Users\Admin\AppData\Local\Temp\Install[1432].exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\MGQRJU\LWE.exe
  "C:\Windows\MGQRJU\LWE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MGQRJU\LWE.00

Filesize
1KB

MD5
d21616e9408ddcf44c03ba9e806c6a29

SHA1
6ad5e80d88fac7993c5115d430c8bdf6e61f7e11

SHA256
cd7ed3794650ab4e599d614eb8608cde8802213472d464ebdfb60f29b5d24788

SHA512
149704e346f697b0b7023fdccd6c077f192f6dbca8c918f2bc8c2bf481eb063706a6d57f642dbbabc352d93135ec3624c861bd444241f5645d129f7bcb2a0b1e

Download Submit
C:\Windows\MGQRJU\LWE.01

Filesize
79KB

MD5
2d3d2d84ad552e325b9fc05088717816

SHA1
77dc93e499e89fc37c53d7d3a3004e7b7bd16567

SHA256
e638b13e4020b3679e9fa140867c8709481da2fe355577c09be548a59b936358

SHA512
4e63941c1e7474e55fecd2901c30916bbb95531996bf912b883ff72f70d9c34bc6abb58fba3166997b2156db73874d4280f873f4f2e54273af43a3ba1dfd3f79

Download Submit
C:\Windows\MGQRJU\LWE.01

Filesize
79KB

MD5
2d3d2d84ad552e325b9fc05088717816

SHA1
77dc93e499e89fc37c53d7d3a3004e7b7bd16567

SHA256
e638b13e4020b3679e9fa140867c8709481da2fe355577c09be548a59b936358

SHA512
4e63941c1e7474e55fecd2901c30916bbb95531996bf912b883ff72f70d9c34bc6abb58fba3166997b2156db73874d4280f873f4f2e54273af43a3ba1dfd3f79

Download Submit
C:\Windows\MGQRJU\LWE.01

Filesize
79KB

MD5
2d3d2d84ad552e325b9fc05088717816

SHA1
77dc93e499e89fc37c53d7d3a3004e7b7bd16567

SHA256
e638b13e4020b3679e9fa140867c8709481da2fe355577c09be548a59b936358

SHA512
4e63941c1e7474e55fecd2901c30916bbb95531996bf912b883ff72f70d9c34bc6abb58fba3166997b2156db73874d4280f873f4f2e54273af43a3ba1dfd3f79

Download Submit
C:\Windows\MGQRJU\LWE.exe

Filesize
2.5MB

MD5
9434103fbb76b606043e6466a28980ce

SHA1
fc9937bc4eda1d33804d58b93987b9cd14ea3800

SHA256
3880a825985f17ddcc481e54c864413e971cc3349081d1b20064fed33056a22b

SHA512
be6f6e1209eecc7aec7387819a4b5701e5cc60a9dda2c1c869e9f48217b4717c6ce772b3809b493c590b663d204a0d89f4b512c44ccbe93e2f90c226b6091ffc

Download Submit
C:\Windows\MGQRJU\LWE.exe

Filesize
2.5MB

MD5
9434103fbb76b606043e6466a28980ce

SHA1
fc9937bc4eda1d33804d58b93987b9cd14ea3800

SHA256
3880a825985f17ddcc481e54c864413e971cc3349081d1b20064fed33056a22b

SHA512
be6f6e1209eecc7aec7387819a4b5701e5cc60a9dda2c1c869e9f48217b4717c6ce772b3809b493c590b663d204a0d89f4b512c44ccbe93e2f90c226b6091ffc

Download Submit
memory/1544-137-0x0000000000150000-0x0000000000446000-memory.dmp

Filesize
3.0MB

Download
memory/1544-132-0x0000000000150000-0x0000000000446000-memory.dmp

Filesize
3.0MB

Download
memory/3964-145-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-143-0x0000000004B71000-0x0000000004B80000-memory.dmp

Filesize
60KB

Download
memory/3964-136-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-144-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-142-0x0000000004B70000-0x0000000004B89000-memory.dmp

Filesize
100KB

Download
memory/3964-146-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-147-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-148-0x0000000004B70000-0x0000000004B89000-memory.dmp

Filesize
100KB

Download
memory/3964-149-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-150-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/3964-151-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing