619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee

General

Target

619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe
Size

73KB
MD5

a1128e72309588f155d420a3b8a30796
SHA1

44a6e1b1fc91ebb36bcc5701d66d65e7c1683bf3
SHA256

619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee
SHA512

8faed513187615bf4c7090fc03c7329ddbf583cd0d595c7be03dfbbe6e10aa721159819f5f66bc5d376bfa16317ed81a72d4217c896330277ffd3fa09f06d1b2
SSDEEP

1536:GKTzixtMhFNG3S2zqv7z+kE+r9Lt/Ayvyqag1XxeDRQyrwHc/v6CdzH:nTxTNG3EukE+r/Lv3Rtxe88/vlb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2300	msizap.exe
3748	msizap.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Automatic Updates = "\"C:\\windows\\msizap.exe\""	msizap.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 644 set thread context of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 2300 set thread context of 3748	2300	msizap.exe	87

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\msizap.exe	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe
File opened for modification	\??\c:\windows\msizap.exe	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 644 wrote to memory of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 644 wrote to memory of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 644 wrote to memory of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 644 wrote to memory of 4568	644	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	85
PID 4568 wrote to memory of 2300	4568	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	86
PID 4568 wrote to memory of 2300	4568	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	86
PID 4568 wrote to memory of 2300	4568	619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe	86
PID 2300 wrote to memory of 3748	2300	msizap.exe	87
PID 2300 wrote to memory of 3748	2300	msizap.exe	87
PID 2300 wrote to memory of 3748	2300	msizap.exe	87
PID 2300 wrote to memory of 3748	2300	msizap.exe	87
PID 2300 wrote to memory of 3748	2300	msizap.exe	87

C:\Users\Admin\AppData\Local\Temp\619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe
"C:\Users\Admin\AppData\Local\Temp\619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe
  C:\Users\Admin\AppData\Local\Temp\619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee.exe
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\windows\msizap.exe
    "C:\windows\msizap.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\windows\msizap.exe
      C:\windows\msizap.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msizap.exe

Filesize
73KB

MD5
a1128e72309588f155d420a3b8a30796

SHA1
44a6e1b1fc91ebb36bcc5701d66d65e7c1683bf3

SHA256
619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee

SHA512
8faed513187615bf4c7090fc03c7329ddbf583cd0d595c7be03dfbbe6e10aa721159819f5f66bc5d376bfa16317ed81a72d4217c896330277ffd3fa09f06d1b2

Download Submit
C:\Windows\msizap.exe

Filesize
73KB

MD5
a1128e72309588f155d420a3b8a30796

SHA1
44a6e1b1fc91ebb36bcc5701d66d65e7c1683bf3

SHA256
619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee

SHA512
8faed513187615bf4c7090fc03c7329ddbf583cd0d595c7be03dfbbe6e10aa721159819f5f66bc5d376bfa16317ed81a72d4217c896330277ffd3fa09f06d1b2

Download Submit
C:\windows\msizap.exe

Filesize
73KB

MD5
a1128e72309588f155d420a3b8a30796

SHA1
44a6e1b1fc91ebb36bcc5701d66d65e7c1683bf3

SHA256
619f7cd04b82d573ad09512587f28d81a1b50afa53290c01a2bc06dc6b786eee

SHA512
8faed513187615bf4c7090fc03c7329ddbf583cd0d595c7be03dfbbe6e10aa721159819f5f66bc5d376bfa16317ed81a72d4217c896330277ffd3fa09f06d1b2

Download Submit
memory/644-136-0x0000000010000000-0x0000000010018200-memory.dmp

Filesize
96KB

Download
memory/644-132-0x0000000010000000-0x0000000010018200-memory.dmp

Filesize
96KB

Download
memory/2300-148-0x0000000010000000-0x0000000010018200-memory.dmp

Filesize
96KB

Download
memory/3748-150-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3748-151-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/3748-152-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4568-139-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/4568-138-0x0000000010000000-0x0000000010018200-memory.dmp

Filesize
96KB

Download
memory/4568-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4568-144-0x0000000002590000-0x00000000025A6000-memory.dmp

Filesize
88KB

Download
memory/4568-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4568-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing