5c43677f344e5f1bfaf29aeba0e69a020eef92b8555d6637f74de0e404a640f2

General

Target

47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
Size

1.5MB
MD5

26454b46bef46b885e8477922d3d08d4
SHA1

add2c041f12ce35e621dd3e162a61a7196eee48c
SHA256

47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282
SHA512

a9a41ccbc6b98cbfb7a0b6c2843f35fc895e6ec9556848ac4dd93e8e2a40b2079b906c2ee6fa90857cf267215cf2088c8f97828c9b3e40f80e6ad2e57d67da98
SSDEEP

49152:Ag6cnCiIkofSoKkVOUUi12RK27PB6yy0E6MenVeUQu:4VdSF3i12XDB62thUUj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DllHelper.exe

pid process

3180 DllHelper.exe

pid	process
3180	DllHelper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4876 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

756 PING.EXE

pid	process
4876	schtasks.exe

pid	process
756	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe

pid	process
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.execmd.exe

description	pid	process	target process
PID 868 wrote to memory of 4876	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	schtasks.exe
PID 868 wrote to memory of 4876	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	schtasks.exe
PID 868 wrote to memory of 4876	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	schtasks.exe
PID 868 wrote to memory of 3180	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	DllHelper.exe
PID 868 wrote to memory of 3180	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	DllHelper.exe
PID 868 wrote to memory of 3180	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	DllHelper.exe
PID 868 wrote to memory of 4900	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	cmd.exe
PID 868 wrote to memory of 4900	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	cmd.exe
PID 868 wrote to memory of 4900	868	47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe	cmd.exe
PID 4900 wrote to memory of 4644	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 4644	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 4644	4900	cmd.exe	chcp.com
PID 4900 wrote to memory of 756	4900	cmd.exe	PING.EXE
PID 4900 wrote to memory of 756	4900	cmd.exe	PING.EXE
PID 4900 wrote to memory of 756	4900	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe
"C:\Users\Admin\AppData\Local\Temp\47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Creates scheduled task(s)
PID:4876

C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
2⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\47999d24a62260aceac07d042e065e8000173124ca9b8d13ac2516338b5cd282.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4644

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
766.7MB

MD5
4dbd3ce00e8dfd4f27d399d06ff3d79c

SHA1
f7bc3ee75cec529338a8d3a2ce7b226fda794315

SHA256
941dcb4b6d28f0c77988056ba1a3bb0a30a7ff1d728afc9ac5699bc50c79a562

SHA512
c40595ac55e322268a444bc4a1dfd0807b46c5c0e18d4f5ffe2afadf099e5d012633705b88435883c80b68cd1e8666f2a38de25fa6f8b13bd1f924d4692cef2d

Download Submit
C:\Users\Admin\AppVerif\DllHelper.exe
Filesize
768.6MB

MD5
cd2b4e7064839b75e1dbffe4d49dccb7

SHA1
d488d8a319c652fe0ea71ea9902d53317cdad8c1

SHA256
c8742d32adda00092b5ee37202df34b27842343ab885d47a6b36bab24607fe77

SHA512
e3f37a91cc319036dcd40ce14115734a6079a4f7b7f14482f0c6d506f1d3d02ef936033094b02fe81462e48097379c1ce635be070feb84d256e681061293e2dc

Download Submit
memory/756-143-0x0000000000000000-mapping.dmp

Download
memory/868-135-0x0000000002C1F000-0x0000000002D89000-memory.dmp

Filesize
1.4MB

Download
memory/868-132-0x00000000024CB000-0x0000000002C01000-memory.dmp

Filesize
7.2MB

Download
memory/868-134-0x0000000002C1F000-0x0000000002D89000-memory.dmp

Filesize
1.4MB

Download
memory/868-141-0x0000000002C1F000-0x0000000002D89000-memory.dmp

Filesize
1.4MB

Download
memory/868-133-0x00000000024CB000-0x0000000002C01000-memory.dmp

Filesize
7.2MB

Download
memory/3180-137-0x0000000000000000-mapping.dmp

Download
memory/3180-144-0x000000000243A000-0x0000000002B70000-memory.dmp

Filesize
7.2MB

Download
memory/3180-145-0x000000000243A000-0x0000000002B70000-memory.dmp

Filesize
7.2MB

Download
memory/4644-142-0x0000000000000000-mapping.dmp

Download
memory/4876-136-0x0000000000000000-mapping.dmp

Download
memory/4900-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads