30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196

General

Target

30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe
Size

204KB
MD5

60bf6f5f7e1542009dffd320ed2b7cf0
SHA1

79fdac8318775d7e8f1a9ce6bcb965be02c26225
SHA256

30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196
SHA512

51360f800a35760150989c9926cdaf2987b27a445a8a2480959346d10b407cb132b3b7914349f26971f6bcd754e27332ca4fd8228520dabbcdc3297d75cdbe47
SSDEEP

3072:K1n4/bpHIUS9HF2D3NS3h3CWmHx4c1EYFGJhFFN5SdlEZ2445jCg:/bpHrSFULQ3h3AavN5Me2d5f

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2204	sqlserver.exe
4752	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe
3320	dumpkernel.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.bat	sqlserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kernelfaultEx = "C:\\Windows\\SysWOW64\\dumpkernel.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\windows\currentVersion\run	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dumpkernel.exe	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sqlserver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlserver.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2204	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	81
PID 1424 wrote to memory of 2204	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	81
PID 1424 wrote to memory of 2204	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	81
PID 1424 wrote to memory of 2240	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	82
PID 1424 wrote to memory of 2240	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	82
PID 1424 wrote to memory of 2240	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	82
PID 1424 wrote to memory of 4536	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	83
PID 1424 wrote to memory of 4536	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	83
PID 1424 wrote to memory of 4536	1424	30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe	83
PID 4536 wrote to memory of 4752	4536	cmd.exe	86
PID 4536 wrote to memory of 4752	4536	cmd.exe	86
PID 4536 wrote to memory of 4752	4536	cmd.exe	86
PID 4536 wrote to memory of 3320	4536	cmd.exe	87
PID 4536 wrote to memory of 3320	4536	cmd.exe	87
PID 4536 wrote to memory of 3320	4536	cmd.exe	87
PID 3320 wrote to memory of 1604	3320	dumpkernel.exe	88
PID 3320 wrote to memory of 1604	3320	dumpkernel.exe	88
PID 3320 wrote to memory of 1604	3320	dumpkernel.exe	88
PID 1604 wrote to memory of 1432	1604	cmd.exe	90
PID 1604 wrote to memory of 1432	1604	cmd.exe	90
PID 1604 wrote to memory of 1432	1604	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe
"C:\Users\Admin\AppData\Local\Temp\30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\temp\sqlserver.exe
  "C:\Windows\temp\sqlserver.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Checks processor information in registry
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttdelzzz.bat" "
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttbrozzz.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe
    "C:\Users\Admin\AppData\Local\Temp\30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe"
    3⤵
    - Executes dropped EXE
    PID:4752
- - C:\Windows\SysWOW64\dumpkernel.exe
    "C:\Windows\system32\dumpkernel.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\windows\currentVersion\run /v kernelfaultEx /t REG_SZ /d "C:\Windows\SysWOW64\dumpkernel.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\windows\currentVersion\run /v kernelfaultEx /t REG_SZ /d "C:\Windows\SysWOW64\dumpkernel.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30942dab9c02e22e17ae8200866511ae64347c188ee25716f218c0ee1849c196.exe

Filesize
110KB

MD5
1b2569a6e9779e283fb93d43d6d341f6

SHA1
6e5e0e377a5493e6cde7c5717b1d61086fc12a8d

SHA256
df9d66dfbba7676a944c1f4bb71c273268dcc480ed51e2a362ad916d690fc499

SHA512
8661c71338da0197dff123972501623b2159c514ab56db9b3940e0c3f63cbe2ca22c8a6d57bec5536c470285b66c9407be33e0c3e7ec884d0f4797a09b47621a

Download Submit
C:\Windows\SysWOW64\dumpkernel.exe

Filesize
45KB

MD5
620e8fa4a42e2dc3e4294115e56ba62c

SHA1
f2df7f6ae69b480c5aa3372c362bbf5ae80cc4f8

SHA256
bbab9383065b21a75aa291f395ae8a3f59cc013e4a865e43be792d7b5b9fc1c3

SHA512
4f926e087e6dac7e830d4b65b1a6eae9504a7c758321c202d8001af5632d33c7661fd6dd3c75288f5cd400d16e23536d9a43f9fe4a4acd25360799b502f5be38

Download Submit
C:\Windows\SysWOW64\dumpkernel.exe

Filesize
45KB

MD5
620e8fa4a42e2dc3e4294115e56ba62c

SHA1
f2df7f6ae69b480c5aa3372c362bbf5ae80cc4f8

SHA256
bbab9383065b21a75aa291f395ae8a3f59cc013e4a865e43be792d7b5b9fc1c3

SHA512
4f926e087e6dac7e830d4b65b1a6eae9504a7c758321c202d8001af5632d33c7661fd6dd3c75288f5cd400d16e23536d9a43f9fe4a4acd25360799b502f5be38

Download Submit
C:\Windows\Temp\sqlserver.exe

Filesize
15KB

MD5
c83a01f25ea0e1c9200c5893aa2d2199

SHA1
d0c53a1aaf2be6aec7b0f73e767b62fffb010f08

SHA256
23fea8b183632f91e5a4d1d6a43283846c734eee820eb2084ad428b7cbe92d53

SHA512
3961ce6f4e8871a5032fc5616e057e15892d846270d572f156aebd5557b72cf5dd0139e87306073243b366851e6db09b83f41294a8230836597c2c840e2704d7

Download Submit
C:\Windows\temp\Server32History.dat

Filesize
110KB

MD5
1b2569a6e9779e283fb93d43d6d341f6

SHA1
6e5e0e377a5493e6cde7c5717b1d61086fc12a8d

SHA256
df9d66dfbba7676a944c1f4bb71c273268dcc480ed51e2a362ad916d690fc499

SHA512
8661c71338da0197dff123972501623b2159c514ab56db9b3940e0c3f63cbe2ca22c8a6d57bec5536c470285b66c9407be33e0c3e7ec884d0f4797a09b47621a

Download Submit
C:\Windows\temp\sqlserver.exe

Filesize
15KB

MD5
c83a01f25ea0e1c9200c5893aa2d2199

SHA1
d0c53a1aaf2be6aec7b0f73e767b62fffb010f08

SHA256
23fea8b183632f91e5a4d1d6a43283846c734eee820eb2084ad428b7cbe92d53

SHA512
3961ce6f4e8871a5032fc5616e057e15892d846270d572f156aebd5557b72cf5dd0139e87306073243b366851e6db09b83f41294a8230836597c2c840e2704d7

Download Submit
C:\Windows\temp\tttbrozzz.bat

Filesize
603B

MD5
65b7699ae1e496b3783802e1dec1e3fe

SHA1
dbec8a07d33d87095f21f8ce6cb53387cd243eef

SHA256
6ffe6aee98af4b69ce5d81bbc27d34639c198c47d7fb1cad464f0638c65076c7

SHA512
9a56fcedaca0c6f43e85ec998743124e4a7b1776e493f93aaa97e0b9fe9461bd0eab424263138e5ddbdfe0f73e4cf8e69a909d9ce29e73c95635a77a6f5c3ca3

Download Submit
C:\Windows\temp\tttdelzzz.bat

Filesize
327B

MD5
f9b67f231a2dbfd83801a199ddceb26a

SHA1
d9c34d600472f837eb1a48fbab0b8f2ea928497c

SHA256
32c6f60c6735b3607fb88643560adc98769545fa339c1a231b80c2345606c392

SHA512
e0bc704a407c7e92719136fb171e8e6a9fefa70d97bec73d557d45e29b0523e714ef8dcfcc2b0c673c69ddbaf4e689c8049da099582497bcb641d4d5f0defeca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads