0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75

General

Target

0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe
Size

207KB
MD5

6e035006bac47ffc3bf96d01bfabc790
SHA1

657428260e0bbe9776337f2f838d722289e11777
SHA256

0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75
SHA512

44a889ad027ef4b050eaa3a9af16c544484733065ec88f1534c065aa1b07c379369b1f9ebfa3b867ced34d4b6e131e02d48f8fc164761430e7aca66dc67191ae
SSDEEP

6144:lsaocyLCIAjl1p0L8csW+uY8zg8AXHLi7m4E7W:ltoblAB1eLKW+nwYu70W

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3324	installer.exe
456	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	installer.exe

Loads dropped DLL 1 IoCs

pid	Process
5008	0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe
File created	C:\Windows\assembly\Desktop.ini	installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	installer.exe
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
456	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
456	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3324	5008	0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe	81
PID 5008 wrote to memory of 3324	5008	0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe	81
PID 3324 wrote to memory of 456	3324	installer.exe	83
PID 3324 wrote to memory of 456	3324	installer.exe	83
PID 3324 wrote to memory of 456	3324	installer.exe	83

C:\Users\Admin\AppData\Local\Temp\0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe
"C:\Users\Admin\AppData\Local\Temp\0a9f6aba444c077d48a4eb4f676bf54c5dc6e6e6dbc7fa6b27849864c34a4e75.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\installer.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e6463374 /dT131762341S /t
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e6463374 /dT131762341S /t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqBD8A.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/456-140-0x0000000073DA0000-0x0000000074351000-memory.dmp

Filesize
5.7MB

Download
memory/456-141-0x0000000073DA0000-0x0000000074351000-memory.dmp

Filesize
5.7MB

Download
memory/3324-136-0x00007FFF37FA0000-0x00007FFF389D6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing