1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7

General

Target

1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
Size

841KB
MD5

445ae5da5b5ee37e7b5a636be7b5e150
SHA1

e8ed7e37ddd343e31324070db6d7296daf57d912
SHA256

1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7
SHA512

5292191698bf70d146331679697159f3aed36a53d2de4ea0fdd4c3fa3f0e2f09ed076e69306fe94187268fc492008fb041d9548370c4bd88a27846e9e7ad261d
SSDEEP

12288:lnqXRRt2NZ3YVS6B7sIs6bhlNo9moemYLlI+EzZSaG3AZd8+5a1xDx:lnQt2NZ+SSds6Pq9mmgzEzZ6Kf2Zx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4224	cleansweep.exe
3196	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cleansweep.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\svchost.exe"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cleansweep.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 4224	4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	84
PID 4312 wrote to memory of 4224	4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	84
PID 4312 wrote to memory of 4224	4312	1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe	84
PID 4224 wrote to memory of 3196	4224	cleansweep.exe	85
PID 4224 wrote to memory of 3196	4224	cleansweep.exe	85
PID 4224 wrote to memory of 3196	4224	cleansweep.exe	85

C:\Users\Admin\AppData\Local\Temp\1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe
"C:\Users\Admin\AppData\Local\Temp\1f20e0ff1be14207800d76ffd653c70ac3165c6cdd865c7f44cce549581844f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\cleansweep.exe
  "C:\Users\Admin\AppData\Local\Temp\cleansweep.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Local\Microsoft\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svchost.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleansweep.exe

Filesize
128KB

MD5
a9ef67e0bc0290401b554137b83d15d4

SHA1
ed6662d88dc4fcc85ab5bacce1a400766a7267f7

SHA256
63a79a49675c67de6a15ca67872a3c0aeb32751cab42e689606f87498f7e34a1

SHA512
044367e0e297e8c6857daa370ada50e58ef77ac826be2c2c5dc6537a0fce3f4431ca9218664a1ee3b87555856f63c311d0da0a2744698596c4d2c34f6a82d840

Download Submit
memory/3196-144-0x0000000000000000-mapping.dmp

Download
memory/4224-140-0x0000000000000000-mapping.dmp

Download
memory/4312-135-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/4312-139-0x00000000058A0000-0x00000000058F6000-memory.dmp

Filesize
344KB

Download
memory/4312-138-0x0000000003580000-0x000000000358A000-memory.dmp

Filesize
40KB

Download
memory/4312-137-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/4312-136-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4312-143-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/4312-132-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/4312-134-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download
memory/4312-133-0x0000000000D80000-0x00000000011A0000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing