7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215

General

Target

7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe
Size

180KB
MD5

a019e421bb952a5124a7df2f7e444974
SHA1

7ec3bd0d9232c21ae01c953832b84fcf5a11e73e
SHA256

7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215
SHA512

1124dc9f9f69b7d44c8e9c2f773f379e2847bfd9effbe5ec5367bfd041eedd666c381da60fd2e923d3f332eb5db339c89593f7a003bb593978bb4bb2721bdc98
SSDEEP

3072:UxiYwPo9MtNetCAZIZiwGnLXndHVc+8dstVwurByIaCfbiPofX7nLGYZ9ksO4SE/:Uxipg94NGsZCe+8dstVwudyIaM+PSXf5

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe\""	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe

Disables Task Manager via registry modification
evasion

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3256-133-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-134-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-137-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-136-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-138-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-139-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3256-141-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3892 set thread context of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4752	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3892 wrote to memory of 3256	3892	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	82
PID 3256 wrote to memory of 4752	3256	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	83
PID 3256 wrote to memory of 4752	3256	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	83
PID 3256 wrote to memory of 4752	3256	7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe	83

C:\Users\Admin\AppData\Local\Temp\7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe
"C:\Users\Admin\AppData\Local\Temp\7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe
  7a7fafaddf2a068b147074194854e0f4964a0ca0385612929c6b0f27d1f77215.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3256-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-138-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3256-141-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing