a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af

General

Target

f9482bb02601f897d980e64e4b54fe3c.exe
Size

10KB
MD5

f9482bb02601f897d980e64e4b54fe3c
SHA1

bbaf763d8b26f468f6d4fb5cb631e3fedb3c965b
SHA256

a20d62110e3e9d2659ee55299033ff3542bdce0b669f299dad18dddce4ddc1af
SHA512

f0b2dcb4403d6b709a327fdf3533ff80272ccf4618e094fa7727564d0f47cf83cff2568615c331062c4b21fa21755b62c88acea466ac96627aeba120244a9d6d
SSDEEP

192:ZBlbXZH5KcyeRrUt0cgh8/2PnH/7AvBp:ZBkurM05S/2vHzM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	rC2dAw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f9482bb02601f897d980e64e4b54fe3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rC2dAw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3052	powershell.exe
3052	powershell.exe
4676	f9482bb02601f897d980e64e4b54fe3c.exe
4676	f9482bb02601f897d980e64e4b54fe3c.exe
3656	AppLaunch.exe
3656	AppLaunch.exe
4464	powershell.exe
4464	powershell.exe
536	powershell.exe
536	powershell.exe
3656	AppLaunch.exe
3656	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	f9482bb02601f897d980e64e4b54fe3c.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3656	AppLaunch.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	2656	rC2dAw.exe
Token: SeDebugPrivilege	536	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3052	4676	f9482bb02601f897d980e64e4b54fe3c.exe	80
PID 4676 wrote to memory of 3052	4676	f9482bb02601f897d980e64e4b54fe3c.exe	80
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 4676 wrote to memory of 3656	4676	f9482bb02601f897d980e64e4b54fe3c.exe	89
PID 3656 wrote to memory of 4464	3656	AppLaunch.exe	90
PID 3656 wrote to memory of 4464	3656	AppLaunch.exe	90
PID 4464 wrote to memory of 2656	4464	powershell.exe	92
PID 4464 wrote to memory of 2656	4464	powershell.exe	92
PID 2656 wrote to memory of 536	2656	rC2dAw.exe	93
PID 2656 wrote to memory of 536	2656	rC2dAw.exe	93

C:\Users\Admin\AppData\Local\Temp\f9482bb02601f897d980e64e4b54fe3c.exe
"C:\Users\Admin\AppData\Local\Temp\f9482bb02601f897d980e64e4b54fe3c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHIAQwAyAGQAQQB3AC4AZQB4AGUAIgA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\rC2dAw.exe
      "C:\Users\Admin\AppData\Local\Temp\rC2dAw.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3af0fe7f6bead950f076de281a5a1d2

SHA1
e55d189a5525b7871835548e5f777de0ff42e755

SHA256
ce484ca22f8966e31b9b5aafef1a970d37525122fb7c9d39976e743264f77890

SHA512
9818ad2387ceba8fe3afbe60070354c39eb13783653e8e28c84bd7e61678627942a6df06778d4e4b72d525c843d74bd97e4edc93af960e45500912e41c2c5693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC2dAw.exe

Filesize
363KB

MD5
fe03db74e84b28ad6be2df6a9108bc20

SHA1
2c214fe1ccbb48140a25aa68175391b60ab1edc0

SHA256
0b456a75e8bcc866efa283b8f55c826130e5326ad4ab12aeb4a436bb1cc5f4c8

SHA512
7d018e0fed1a3aab6771dd4cb5c5394d9dc351a1b0f28dc78fca5d40e9ddf7ca0b558d358d0ab59f02fc7d2bb016185489a402ebd698e3b1023b1ba94dbbcced

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC2dAw.exe

Filesize
363KB

MD5
fe03db74e84b28ad6be2df6a9108bc20

SHA1
2c214fe1ccbb48140a25aa68175391b60ab1edc0

SHA256
0b456a75e8bcc866efa283b8f55c826130e5326ad4ab12aeb4a436bb1cc5f4c8

SHA512
7d018e0fed1a3aab6771dd4cb5c5394d9dc351a1b0f28dc78fca5d40e9ddf7ca0b558d358d0ab59f02fc7d2bb016185489a402ebd698e3b1023b1ba94dbbcced

Download Submit
memory/536-159-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/536-157-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/2656-152-0x000001C3B4620000-0x000001C3B467E000-memory.dmp

Filesize
376KB

Download
memory/2656-154-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/2656-158-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-139-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-138-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-137-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-143-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-144-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-140-0x0000000140000000-0x000000014007A000-memory.dmp

Filesize
488KB

Download
memory/4464-153-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4464-147-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-132-0x000001EF75570000-0x000001EF75576000-memory.dmp

Filesize
24KB

Download
memory/4676-135-0x000001EF770F0000-0x000001EF77112000-memory.dmp

Filesize
136KB

Download
memory/4676-134-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-142-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/4676-133-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing