b7fc68653c4d32be7f3180abb0cffdfcb61c796adaa18ac4d58062bae83aaefa

General

Target

b.exe
Size

1.9MB
MD5

f6ed15763205da5fc35bc6af8ad1f000
SHA1

e95b9750d5323fe4b0a3949945590ebb0de149bf
SHA256

b7fc68653c4d32be7f3180abb0cffdfcb61c796adaa18ac4d58062bae83aaefa
SHA512

ca6d9f3f0956bf03b917d9c45c881a4672e6553eb5dd7de22ddb4a61fd9d5b7bab04cd5efa9693561e3c327bb31045f475fd78bb6af08ed8cbf620260a720b25
SSDEEP

24576:z7FUDowAyrTVE3U5FmdpDAI4oafbLHGE5x7awFhJdNo69lOy7KTijlN:zBuZrEUwD+oafv55DdN7POGjr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2528	b.tmp
4892	b.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b.tmp

Loads dropped DLL 2 IoCs

pid	Process
2528	b.tmp
4892	b.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	217.160.70.42

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 1488	4892	b.tmp	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC_installer\unins000.dat	b.tmp
File created	C:\Program Files (x86)\PC_installer\is-12R3C.tmp	b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	1488	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1488	explorer.exe
1488	explorer.exe
4892	b.tmp
4892	b.tmp
4892	b.tmp
4892	b.tmp
4892	b.tmp
4892	b.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4892	b.tmp

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2528	2856	b.exe	83
PID 2856 wrote to memory of 2528	2856	b.exe	83
PID 2856 wrote to memory of 2528	2856	b.exe	83
PID 2528 wrote to memory of 4988	2528	b.tmp	84
PID 2528 wrote to memory of 4988	2528	b.tmp	84
PID 2528 wrote to memory of 4988	2528	b.tmp	84
PID 4988 wrote to memory of 4892	4988	b.exe	85
PID 4988 wrote to memory of 4892	4988	b.exe	85
PID 4988 wrote to memory of 4892	4988	b.exe	85
PID 4892 wrote to memory of 1488	4892	b.tmp	86
PID 4892 wrote to memory of 1488	4892	b.tmp	86
PID 4892 wrote to memory of 1488	4892	b.tmp	86
PID 4892 wrote to memory of 1488	4892	b.tmp	86

C:\Users\Admin\AppData\Local\Temp\b.exe
"C:\Users\Admin\AppData\Local\Temp\b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\is-NRDUE.tmp\b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NRDUE.tmp\b.tmp" /SL5="$B006A,1135239,832512,C:\Users\Admin\AppData\Local\Temp\b.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\b.exe
    "C:\Users\Admin\AppData\Local\Temp\b.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp" /SL5="$C006A,1135239,832512,C:\Users\Admin\AppData\Local\Temp\b.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 748
        6⤵
        Program crash
        
        PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1488 -ip 1488
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-6D8SE.tmp\tava.dll

Filesize
339KB

MD5
8f1ff631e1c3918ba0d731673994d5cb

SHA1
93b9337010e346afc546f3fd733a52aa38dba77f

SHA256
fe81ed8671a5384d55299eef4ad679f6f5a080ad69cb072865327fe93ed85cbd

SHA512
4f68d6aac354640d3cb578b64f5f3d141ce143dbec47ea92fd841c061ba3b7a92c91c386df428fde86eba625c404a0e3145d4585a6cc6dcc322bf48e62e004bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NRDUE.tmp\b.tmp

Filesize
3.0MB

MD5
77d406991227cc35026e45fe0411b3b5

SHA1
3d1a314aa86c24e84e97782c7c093a4d7f972f4d

SHA256
0f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3

SHA512
f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp

Filesize
3.0MB

MD5
77d406991227cc35026e45fe0411b3b5

SHA1
3d1a314aa86c24e84e97782c7c093a4d7f972f4d

SHA256
0f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3

SHA512
f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OCT25.tmp\b.tmp

Filesize
3.0MB

MD5
77d406991227cc35026e45fe0411b3b5

SHA1
3d1a314aa86c24e84e97782c7c093a4d7f972f4d

SHA256
0f4f707356ffab07e4764773c06573f2dbf253309e136f220cef0419c6c644e3

SHA512
f61e3a9d8c573c444519300e3f3a6d12d48ea1c43cbde7835d0fe871e997d2f75589b4c8e9896903d062e68b1313cb141e41269281a7b78f8ea86c3c510a4501

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QR6LQ.tmp\tava.dll

Filesize
339KB

MD5
8f1ff631e1c3918ba0d731673994d5cb

SHA1
93b9337010e346afc546f3fd733a52aa38dba77f

SHA256
fe81ed8671a5384d55299eef4ad679f6f5a080ad69cb072865327fe93ed85cbd

SHA512
4f68d6aac354640d3cb578b64f5f3d141ce143dbec47ea92fd841c061ba3b7a92c91c386df428fde86eba625c404a0e3145d4585a6cc6dcc322bf48e62e004bd

Download Submit
memory/1488-153-0x00000000009D0000-0x00000000009FF000-memory.dmp

Filesize
188KB

Download
memory/1488-151-0x00000000009D0000-0x00000000009FF000-memory.dmp

Filesize
188KB

Download
memory/1488-147-0x00000000009D0000-0x00000000009FF000-memory.dmp

Filesize
188KB

Download
memory/1488-146-0x00000000009D0000-0x00000000009FF000-memory.dmp

Filesize
188KB

Download
memory/1488-148-0x00000000009D0000-0x00000000009FF000-memory.dmp

Filesize
188KB

Download
memory/2856-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2856-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2856-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4892-149-0x0000000000A19000-0x0000000000A43000-memory.dmp

Filesize
168KB

Download
memory/4892-154-0x0000000000A19000-0x0000000000A43000-memory.dmp

Filesize
168KB

Download
memory/4988-150-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4988-139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing