37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec

General

Target

37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe
Size

740KB
MD5

67ef6a3258121c5c085080180698a2e0
SHA1

9ed5f1c51d5609b1b1402a41f2121676af9e5103
SHA256

37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec
SHA512

b66b367b6c12f195c6b32f665b5bb25d9af9ed96224444236031b5fd9d0306294415dab3f3a489cc63dc0bf5191862485e359f453ff804138b6eb9215e61f803
SSDEEP

12288:+w80KZh/N1tcD1/OVQNvRtYuupRA9gN5UQXGcuWEw/+PxBTApHqxhyjY1NEAIvO+:+w80Kx1SR/Jb8T+QqWGcNXqxdApHYysU

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5060	servers.exe
5012	niubo_setup_1581.exe
4620	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e07-138.dat	upx
behavioral2/files/0x0006000000022e07-139.dat	upx
behavioral2/memory/4620-140-0x0000000000400000-0x0000000000527000-memory.dmp	upx
behavioral2/memory/4620-141-0x0000000000400000-0x0000000000527000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4620	irsetup.exe
4620	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 5060	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	82
PID 2012 wrote to memory of 5060	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	82
PID 2012 wrote to memory of 5060	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	82
PID 2012 wrote to memory of 5012	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	83
PID 2012 wrote to memory of 5012	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	83
PID 2012 wrote to memory of 5012	2012	37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe	83
PID 5012 wrote to memory of 4620	5012	niubo_setup_1581.exe	84
PID 5012 wrote to memory of 4620	5012	niubo_setup_1581.exe	84
PID 5012 wrote to memory of 4620	5012	niubo_setup_1581.exe	84

C:\Users\Admin\AppData\Local\Temp\37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe
"C:\Users\Admin\AppData\Local\Temp\37903e1d9f8876ee33f42eb2d4d507cc35a37fb4de5408d95be31f3b5a319aec.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe"
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe
    __IRAOFF:500236 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe

Filesize
644KB

MD5
b77cc3a61118ce5909a97fe98496dd9c

SHA1
72e7902317d13f5c9df4966e350b432459075f7f

SHA256
eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

SHA512
fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\niubo_setup_1581.exe

Filesize
644KB

MD5
b77cc3a61118ce5909a97fe98496dd9c

SHA1
72e7902317d13f5c9df4966e350b432459075f7f

SHA256
eda21d56f93441d8ee26dee6aab9d174ae8e01e8a0b5b0516f0cc11bc39881cc

SHA512
fd7296b77c9bbbaecf635a89b1dd1f74e1b7caaf3b1b7c2d1ba53e47814edb4381403b26c8bfb292f3f1dd2f5a0c81242282c6e275bfb34ac8eb4b829f8641bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\servers.exe

Filesize
59KB

MD5
c0929836a21a2816ce47232f2816041b

SHA1
1a16faf63d2c08bbb019e8fb1524b8027b802b58

SHA256
e5817e9b0c41053150e2b98aa8cca4420545563604ddb82d4dfe56e5e2710307

SHA512
b5cc450f1c4add00557eb3c2bdc42e82ba15a05e98954103490c5ad32b274d729a04112354e2bb6eee2ec03070761285d1a3c0684ebfb01e04539270dd560fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf7_temp_0\irsetup.exe

Filesize
440KB

MD5
75ca7ff96bf5a316c3af2de6a412bd54

SHA1
0a093950790ff0dddff6f5f29c6b02c10997e0c5

SHA256
d95b5bf9ca97c1900de5357743282bab655d61d616606485088e1708559b7cf1

SHA512
b8da86f2f1e908955254e5168d0447f479cec7815a8b081a7b38eb87187cb2eb992109c67e006361b96bc1529ee8abc9dc477d78e9ca565e43f5415b492771d4

Download Submit
memory/4620-140-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/4620-141-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing