fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2

General

Target

fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe
Size

518KB
MD5

59a1209fd5104cdf65e1b754cb37b6fe
SHA1

479d9d79431b30eaf21fb94bb17cad8b29bf2b25
SHA256

fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2
SHA512

31c6753527543ddd35001ab0df7bbe7d8fec858d3344040023479b939654c175947e81c2ad753a1ddc1af1a21cb0c87b316ce268f26933b07c24e0c7aa399c15
SSDEEP

12288:BIFs0zHpoflirqzRI6APGeCC58ZzRX/PEeVrpw8ggffFNY:Ss2oUoIFPGs58ZWeZpJrffU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2444	server.exe
5104	server.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-132-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4964-137-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/4964-151-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2444	4964	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	82
PID 4964 wrote to memory of 2444	4964	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	82
PID 4964 wrote to memory of 2444	4964	fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe	82
PID 2444 wrote to memory of 5104	2444	server.exe	83
PID 2444 wrote to memory of 5104	2444	server.exe	83
PID 2444 wrote to memory of 5104	2444	server.exe	83

C:\Users\Admin\AppData\Local\Temp\fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe
"C:\Users\Admin\AppData\Local\Temp\fe911f2c398654fee81bb607a11376e6149e12984969a6a4c388a0022ab5e0a2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964
- C:\server.exe
  "C:\server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
213KB

MD5
74d99ee65f4b76339e026911590fa1fb

SHA1
8a824b87d7a980b7a632fcbaeb7fcdf41b09e4d9

SHA256
08522880b7c4c69674ad3242f042b941759a7e0c085b4720b29f183cc3bfda16

SHA512
07a85686505bc35a251f4adf02023f1e0765a8f464e2d5287e70449381f17fa3b9249c446ab4959fa200fbace9578e1442ec8d984e1862623afb6ecf50e4b2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe-up.txt

Filesize
5KB

MD5
c548f9962a465f9fd61150557bf00422

SHA1
2506087c02eb73f4660f7995ac4f5a63c2da4e7d

SHA256
1e996b9e2a779885a3dd61bbe3b32125bbc35e4030eba542834c2cd2b15640c2

SHA512
6a52cd210e84c1bfd1ecb13a7cbb9188e8005f2aa057b065223543e91630adbef4e0957218e945ea497c81c149fd925acf577f9d25f5247e909f61efb3dd4889

Download Submit
C:\server.exe

Filesize
364KB

MD5
b723a6e300a5f0f86d488aeaab4b81e0

SHA1
8fccdaf0e16ce1baebf2466dd169463cd488070d

SHA256
0b21af1244263139d20f32796f0f3c41a97bea06afa906e2086732ef0a513c85

SHA512
3e2e6f504195cb5ae837e50433d1c8742d06206ac52febb105fc5fa4b04d7735efecae0da0ea259dea308adbaaaa3b66fc394a93ad3c323879a5d737329e43ad

Download Submit
C:\server.exe

Filesize
364KB

MD5
b723a6e300a5f0f86d488aeaab4b81e0

SHA1
8fccdaf0e16ce1baebf2466dd169463cd488070d

SHA256
0b21af1244263139d20f32796f0f3c41a97bea06afa906e2086732ef0a513c85

SHA512
3e2e6f504195cb5ae837e50433d1c8742d06206ac52febb105fc5fa4b04d7735efecae0da0ea259dea308adbaaaa3b66fc394a93ad3c323879a5d737329e43ad

Download Submit
memory/2444-138-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/2444-146-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/2444-139-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2444-140-0x00000000004D0000-0x0000000000509000-memory.dmp

Filesize
228KB

Download
memory/2444-141-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/2444-150-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/2444-136-0x0000000001000000-0x000000000105B000-memory.dmp

Filesize
364KB

Download
memory/2444-147-0x00000000004D0000-0x0000000000509000-memory.dmp

Filesize
228KB

Download
memory/4964-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4964-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4964-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5104-145-0x00000000006C0000-0x000000000070C000-memory.dmp

Filesize
304KB

Download
memory/5104-148-0x00000000006C0000-0x000000000070C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing