be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc

General

Target

be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe
Size

2.1MB
MD5

7c57ab0927b377a76101a24fbe641463
SHA1

9d5ec73eaf6829e4cb388c8f95fce691a15217e5
SHA256

be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc
SHA512

a35f3abf0be7c8f61eeb1331254060964fa24cc1ed64b7464336db2a4244be118c0ed2f153248d10676f605369972dbb33afb8823b84798272079ebc19aa4726
SSDEEP

49152:NwXO21l9449QxS0UVzppQBwpo941l0s6Hg48h0wUczM60xG:NwXOE95QK7Q99siHoh0wVA60xG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3856	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr
2680	tmp2.exe
4180	work.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe

Loads dropped DLL 1 IoCs

pid	Process
3396	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\work = "C:\\Users\\Admin\\AppData\\Roaming\\that\\work.exe"	work.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3856	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr
3856	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr
3856	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 3856	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	82
PID 4988 wrote to memory of 3856	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	82
PID 4988 wrote to memory of 3856	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	82
PID 4988 wrote to memory of 2680	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	83
PID 4988 wrote to memory of 2680	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	83
PID 4988 wrote to memory of 2680	4988	be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe	83
PID 2680 wrote to memory of 4180	2680	tmp2.exe	84
PID 2680 wrote to memory of 4180	2680	tmp2.exe	84
PID 2680 wrote to memory of 4180	2680	tmp2.exe	84
PID 4180 wrote to memory of 3396	4180	work.exe	85
PID 4180 wrote to memory of 3396	4180	work.exe	85
PID 4180 wrote to memory of 3396	4180	work.exe	85

C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe
"C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr
  "C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\that\work.exe
    C:\Users\Admin\AppData\Roaming\that\work.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s /u "C:\Users\Admin\AppData\Roaming\that\work.dll"
      4⤵
      Loads dropped DLL
      PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr

Filesize
1.8MB

MD5
6301838e01b48f61e1b916f1aae4249e

SHA1
0938bb732be18b8bf8d7f1ee48a6d39df656602b

SHA256
e18e0700caf89da7f365bbe05ce3e1755ffc5f9f4f21220e99e31ea34c7f79b0

SHA512
2b0154473d4576524dee6578a8f4a33c1f523ec04d48ed4693274e69b762fb97d3987e68f4841803ddbed10a3ceb1b9711749d32063261f7a04f2145d8f655c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\be93b42d5c55312e326f8619129906093b52309dccdde0f5b7a9f63b967429cc.scr

Filesize
1.8MB

MD5
6301838e01b48f61e1b916f1aae4249e

SHA1
0938bb732be18b8bf8d7f1ee48a6d39df656602b

SHA256
e18e0700caf89da7f365bbe05ce3e1755ffc5f9f4f21220e99e31ea34c7f79b0

SHA512
2b0154473d4576524dee6578a8f4a33c1f523ec04d48ed4693274e69b762fb97d3987e68f4841803ddbed10a3ceb1b9711749d32063261f7a04f2145d8f655c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
142KB

MD5
192f6b4b76bcbdc34812ecff90134db8

SHA1
eff7cab404b82066fc8557b0e76d53099c596f67

SHA256
44815a7c1c20ebf79725c6dc65d128766a7616713c4238135a6bd7a37ffdc30a

SHA512
108cade941431b55a8a46eccb56f5d99575aabab6617148d92cc423376d30547ed18cb1239b03fc59052ab6beeb5635f9dfd945c75d8d2c1c1f034ed148153bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
142KB

MD5
192f6b4b76bcbdc34812ecff90134db8

SHA1
eff7cab404b82066fc8557b0e76d53099c596f67

SHA256
44815a7c1c20ebf79725c6dc65d128766a7616713c4238135a6bd7a37ffdc30a

SHA512
108cade941431b55a8a46eccb56f5d99575aabab6617148d92cc423376d30547ed18cb1239b03fc59052ab6beeb5635f9dfd945c75d8d2c1c1f034ed148153bb

Download Submit
C:\Users\Admin\AppData\Roaming\that\work.dll

Filesize
92KB

MD5
21ce498bf248997701926e225f246263

SHA1
4ad95e47387b15be63e68f606f19cff75afd42c8

SHA256
122959ed0ecc5a183f8d6c92a49e78cf7a6cb436991bf0355e3f0124cd493a17

SHA512
d6f370d4e388d0c287dda3e42e71e4fd54bb8cb703b05ecb7a2255fea9cfe8ac66ece5bae65a7c299457709ec4ff47d358e12a3f512299e8717a46a010d254c7

Download Submit
C:\Users\Admin\AppData\Roaming\that\work.dll

Filesize
92KB

MD5
21ce498bf248997701926e225f246263

SHA1
4ad95e47387b15be63e68f606f19cff75afd42c8

SHA256
122959ed0ecc5a183f8d6c92a49e78cf7a6cb436991bf0355e3f0124cd493a17

SHA512
d6f370d4e388d0c287dda3e42e71e4fd54bb8cb703b05ecb7a2255fea9cfe8ac66ece5bae65a7c299457709ec4ff47d358e12a3f512299e8717a46a010d254c7

Download Submit
C:\Users\Admin\AppData\Roaming\that\work.exe

Filesize
66KB

MD5
eba27f66a602ae213bd5730e0c90e7b2

SHA1
e972c74297b8cf0dac80d2aec49f9547dcc935fa

SHA256
8c6197c29cadf31511b532d7a8425a95b4121374f36e08d3b3a469cd1f383b56

SHA512
e605c6afa91520a167ef70e3f27c1d1b3e435c7858657a7cb910293b8872d618a6fbdabe4cc2b3ff9d5078c8458ec032f5eb3d8bb0b537da652be416497a37eb

Download Submit
C:\Users\Admin\AppData\Roaming\that\work.exe

Filesize
66KB

MD5
eba27f66a602ae213bd5730e0c90e7b2

SHA1
e972c74297b8cf0dac80d2aec49f9547dcc935fa

SHA256
8c6197c29cadf31511b532d7a8425a95b4121374f36e08d3b3a469cd1f383b56

SHA512
e605c6afa91520a167ef70e3f27c1d1b3e435c7858657a7cb910293b8872d618a6fbdabe4cc2b3ff9d5078c8458ec032f5eb3d8bb0b537da652be416497a37eb

Download Submit

Analysis

Sharing