87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4

General

Target

e-Belge1.exe
Size

1.1MB
MD5

93806db4549578ef1cb21b7f688798b2
SHA1

12e313f0998ab9010ca7e23f85da6f98f8b02030
SHA256

87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4
SHA512

443c96b19426abde09f5f7006c77cc3ac5660200d0480eca898e724e27d2d03771774eab318f294295165bbb4d72cd43a5fc748af0f92371e865f5108f48d8da
SSDEEP

24576:UAOcZXcxP6+jn2sKlQT/zeRoCR3lBR4YaGAuvZG31RMaas/xqY:CHUez8bkQA3XM9c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tjlxrq.pif

pid process

2040 tjlxrq.pif
Loads dropped DLL 4 IoCs

Processes:

e-Belge1.exe

pid process

1740 e-Belge1.exe
1740 e-Belge1.exe
1740 e-Belge1.exe
1740 e-Belge1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tjlxrq.pif

description pid process target process

PID 2040 set thread context of 584 2040 tjlxrq.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2040	tjlxrq.pif

pid	process
1740	e-Belge1.exe
1740	e-Belge1.exe
1740	e-Belge1.exe
1740	e-Belge1.exe

description	pid	process	target process
PID 2040 set thread context of 584	2040	tjlxrq.pif	RegSvcs.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e-Belge1.exetjlxrq.pif

description	pid	process	target process
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 1740 wrote to memory of 2040	1740	e-Belge1.exe	tjlxrq.pif
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 856	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe
PID 2040 wrote to memory of 584	2040	tjlxrq.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe
"C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
"C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif" xeaawehrpe.sbo
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5_17\ibkondar.cpl
Filesize
38KB

MD5
1c18f14fdd445534f700057f9f26882c

SHA1
d9d3d3ea982acaa128cf964378dfac65f09a09b0

SHA256
11a9097e0c6e23299763487ff98036f0a6a9ec706344ce22962ab7f350141165

SHA512
54db999e73eb51ce2bd2cebbfed22fcc8b88c42ddf15f5569737e7706896cdedfee4996c5d30921a424b59873b42b461dd740d8667d848b63e00e6bf899f2184

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\vjrwlpjd.asm
Filesize
371KB

MD5
7def8b74316279546efc1e1937d2aef7

SHA1
5a85b867dcbeedb83cfec2848d2b4fda149a2fca

SHA256
69060028cbe4111dd9abf7b51390a3edd0669fcd5e804be0917ea95aedae5250

SHA512
a7129ee457e223ba3c93f6ce873906ea81cb23aab26e4dbd816daa2163e30487eaf8bf7040ff1a489c111c99632b2d22dff4f30871b9f010baa19e18e566e356

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\xeaawehrpe.sbo
Filesize
177.8MB

MD5
119095e96ce0d1f51c35dd67ec2b5706

SHA1
7088de971881b64ac1cfcfefbda425213fa4bbbc

SHA256
cd8ada65644a210621c39aa5e4097e829e405575c743a799ffab10ff6f2dceca

SHA512
d99457332d8afbc12b2a1e640bf436701c721e3947db2cc77e4c4bd7f8872ec52617f6fa04ce20f8599bc181f5d424f501fb0d5c14c90543d3687c5c2c55c621

Download Submit
\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
memory/584-66-0x000000000041F1A0-mapping.dmp

Download
memory/1740-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing