25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0

General

Target

25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe
Size

236KB
MD5

841159138121f9b5abcc76c21cbc30f0
SHA1

773311f6b6f3d6ddb93d03361ac663c7a6070c9f
SHA256

25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0
SHA512

41ea1542770c36acfe4461422a252fa00d705a0ed83541c6b6936f27aff7e490969b07bb8a2812a606fd25aafa1410777cd0448587e4ed3dd39bc6118181018b
SSDEEP

6144:fsaocyLCz5xfD9Aoum15iUef2uL3oKtklw3xQrRh86:ftobE5xfDSoftbuL3oSkl2An

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
996	install.exe
3300	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	install.exe

Loads dropped DLL 1 IoCs

pid	Process
1984	25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	install.exe
File created	C:\Windows\assembly\Desktop.ini	install.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	install.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3300	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3300	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
3300	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 996	1984	25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe	82
PID 1984 wrote to memory of 996	1984	25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe	82
PID 996 wrote to memory of 3300	996	install.exe	84
PID 996 wrote to memory of 3300	996	install.exe	84
PID 996 wrote to memory of 3300	996	install.exe	84

C:\Users\Admin\AppData\Local\Temp\25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe
"C:\Users\Admin\AppData\Local\Temp\25693e23db1aeb584b8b63b8c4aaf6f32e6da57e3931589ef48b4d3ef62e1ec0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\install.exe
  C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\install.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830377 /dT131812223S /t
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830377 /dT131812223S /t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
50c32d85c6d0268bb980e8b4c9a3476a

SHA1
6299d65714a69fa3382fd66181c85646106c7cb8

SHA256
12c180b5928a568d3ea0c13e093a5b4669d97fe241e950db6f77a66ee80edbd5

SHA512
a2efcaafc9ba4894c67ff1c02af77b64b7048158cd042cd2af205ceebb99fb19b645f610307382fd37d9782a6963b9f1f712aa41e2838ba8a8b71dcdbc931cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
c662aec6ab29c3f0fcfebb0cf23f569d

SHA1
72760292aa48436aebc8b5bf39eec6910139520c

SHA256
d2d58d4877b1915855a60172a51086c76c98828669396d1de19ac7c2a2f5a3e2

SHA512
0a2d804a10479cbd7a58824d0f8dc6c45282fe0f895b95780c2c27fbf7c68a2b5bc5ba8959b06ae1cae433d3d79116feb34ac2a683a962ae572ba072a1cdfea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
248KB

MD5
7764bda340016cc3e52b3536240e7bf6

SHA1
c8dde3edd067632ba3a5810c6bd668463a274187

SHA256
7775233004993c2a122cc7adae844ceda1bc56c969867f8bcab1ae3fe2d61103

SHA512
6040b6873f204a19a766d5c150a0dec21d49010fa9975c8148a52ceae7c74eabdb9f6da3e9c633dbd1c1c6b064485dd18f34a6d94402fa6454505eb05cb1fb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
248KB

MD5
7764bda340016cc3e52b3536240e7bf6

SHA1
c8dde3edd067632ba3a5810c6bd668463a274187

SHA256
7775233004993c2a122cc7adae844ceda1bc56c969867f8bcab1ae3fe2d61103

SHA512
6040b6873f204a19a766d5c150a0dec21d49010fa9975c8148a52ceae7c74eabdb9f6da3e9c633dbd1c1c6b064485dd18f34a6d94402fa6454505eb05cb1fb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\install.exe

Filesize
181KB

MD5
184a43e8f2ea6b1b919fb3348a2bc281

SHA1
abac787a699e965a866c596360a3cea6be7f65fc

SHA256
fd14aeaab64d9c57dfe9b6ab03bb25f0b02f8a70848d55e2b80f16eb5845f393

SHA512
b2abf436f21b3257edccced97badd4d0af383be7644568e6629f21fdd41703335ca7bcf2d99ef844db16bbe9aa5d0bfe7e5933d9302ca033ac7c08e4958235b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\install.exe

Filesize
181KB

MD5
184a43e8f2ea6b1b919fb3348a2bc281

SHA1
abac787a699e965a866c596360a3cea6be7f65fc

SHA256
fd14aeaab64d9c57dfe9b6ab03bb25f0b02f8a70848d55e2b80f16eb5845f393

SHA512
b2abf436f21b3257edccced97badd4d0af383be7644568e6629f21fdd41703335ca7bcf2d99ef844db16bbe9aa5d0bfe7e5933d9302ca033ac7c08e4958235b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp745.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/3300-140-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/3300-143-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing