67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4

General

Target

67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe
Size

363KB
MD5

801acd1c8e0280b31e28c726f6b427a4
SHA1

d83262e6081da951918dfa5121814bb82e95a269
SHA256

67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4
SHA512

39aad4426232681419d5d15ce061767fff5b2d3b25076ebe07a2cb0c6593b75dfb44d91e2ecc40dfde7ef1b8e9b643c25c22feaa89807ca9cd476f1a76782dae
SSDEEP

3072:vWlhCuAo4LsUokIau9UUsnz+NSMfD9H5+EKj:ulhCuF4LTu9xsniNS4Dr8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3400 set thread context of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3444 set thread context of 2200	3444	AppLaunch.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2540	powershell.exe
2540	powershell.exe
3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe
3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeLockMemoryPrivilege	2200	conhost.exe
Token: SeLockMemoryPrivilege	2200	conhost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 2540	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	81
PID 3400 wrote to memory of 2540	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	81
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3400 wrote to memory of 3444	3400	67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe	90
PID 3444 wrote to memory of 2200	3444	AppLaunch.exe	91
PID 3444 wrote to memory of 2200	3444	AppLaunch.exe	91
PID 3444 wrote to memory of 2200	3444	AppLaunch.exe	91

C:\Users\Admin\AppData\Local\Temp\67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe
"C:\Users\Admin\AppData\Local\Temp\67d15967c6afc53889aa22cad18fd6afccff7a4e513e218478f882fb01824dd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\System32\conhost.exe
    C:\Windows\System32\conhost.exe qeqkbjctbfy0 6E3sjfZq2rJQaxvLPmXgsLqz8lpJ63UklPJg9pmcWSo8Jq3kZKSmvY4+NRTnUpEE3r7+XdtDimsNE7e/g+L2X9H56A5oEjJPagfD7QnT15zaBaj0uazjcA0XmidLhgHPgbFsB3e7l3mh+HQxK0IgPyO5BCIyV/0dj7UBA5qbtnhvEysue9hfOHc3u05LtSAbyLevTJdM29MLupiky3fBB4f7gpKX6SCprT+ftxtOrV1jVTSOVeWYw0PtiKcCojqtEffJsh4ZUZhRRWjAF9vtd6YAerLXuvJWihYiYwUI6cKGgNXX6Rp/oTqNMRDOeX5AHhUEpGHVpRjSu8gA7guRnSgqQBDeAJf0DVOipCGNM4wBWTFxmErarlh1DfOgRL8t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-154-0x0000025048230000-0x0000025048250000-memory.dmp

Filesize
128KB

Download
memory/2200-153-0x0000025048000000-0x0000025048020000-memory.dmp

Filesize
128KB

Download
memory/2200-151-0x0000025048000000-0x0000025048020000-memory.dmp

Filesize
128KB

Download
memory/2200-152-0x0000025048230000-0x0000025048250000-memory.dmp

Filesize
128KB

Download
memory/2200-150-0x0000025047B70000-0x0000025047BB0000-memory.dmp

Filesize
256KB

Download
memory/2200-148-0x0000024FB3E10000-0x0000024FB3E30000-memory.dmp

Filesize
128KB

Download
memory/2540-136-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/2540-138-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/2540-139-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3400-137-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3400-142-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3400-132-0x000002253B5B0000-0x000002253B60E000-memory.dmp

Filesize
376KB

Download
memory/3400-134-0x00000225564E0000-0x0000022556502000-memory.dmp

Filesize
136KB

Download
memory/3400-133-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3444-145-0x0000015B20070000-0x0000015B20082000-memory.dmp

Filesize
72KB

Download
memory/3444-144-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3444-143-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3444-149-0x00007FFE98780000-0x00007FFE99241000-memory.dmp

Filesize
10.8MB

Download
memory/3444-140-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing