5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a

General

Target

5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe
Size

92KB
MD5

93d63b733d33f4c64488d5854f962c00
SHA1

63d86ec9a0773d108efc1b12b3446cd8d312bb55
SHA256

5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a
SHA512

3d93846b88ceb0618e7d4193aa0b99a876169db05cbf75e5bf991a957c808ce58180c219815b9908ac53d25a82e58231abf0252b15b95c06cb7b8d511c6340b2
SSDEEP

1536:nj2AwKrSEqxQxK+oyEIXQ7+JLIzbPhwxw8lepaptXN883IPpLh29JbbEokDU:j2AwNc0AXQ7+crmVokpNSxTABt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2612	eidolon.exe
2088	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe
216	USBServers32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\windows\currentVersion\run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USBServers32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\USBServers32.exe"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell32.dll	eidolon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2612	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	83
PID 4824 wrote to memory of 2612	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	83
PID 4824 wrote to memory of 2612	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	83
PID 4824 wrote to memory of 3096	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	84
PID 4824 wrote to memory of 3096	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	84
PID 4824 wrote to memory of 3096	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	84
PID 4824 wrote to memory of 3828	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	86
PID 4824 wrote to memory of 3828	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	86
PID 4824 wrote to memory of 3828	4824	5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe	86
PID 3828 wrote to memory of 2088	3828	cmd.exe	88
PID 3828 wrote to memory of 2088	3828	cmd.exe	88
PID 3828 wrote to memory of 2088	3828	cmd.exe	88
PID 3828 wrote to memory of 216	3828	cmd.exe	89
PID 3828 wrote to memory of 216	3828	cmd.exe	89
PID 3828 wrote to memory of 216	3828	cmd.exe	89
PID 216 wrote to memory of 796	216	USBServers32.exe	90
PID 216 wrote to memory of 796	216	USBServers32.exe	90
PID 216 wrote to memory of 796	216	USBServers32.exe	90
PID 796 wrote to memory of 3460	796	cmd.exe	92
PID 796 wrote to memory of 3460	796	cmd.exe	92
PID 796 wrote to memory of 3460	796	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe
"C:\Users\Admin\AppData\Local\Temp\5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\eidolon.exe
  "C:\Users\Admin\AppData\Local\Temp\eidolon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttdelzzz.bat" "
  2⤵
  PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\temp\tttbrozzz.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe
    "C:\Users\Admin\AppData\Local\Temp\5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\USBServers32.exe
    "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\windows\currentVersion\run /v USBServers32 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\USBServers32.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5d70fa916dddc12d1966529883ab08b59efb239a03a82ef30b8ba4bd97a3f39a.exe

Filesize
37KB

MD5
fd9aa418a3248e939b2e3c045d606e92

SHA1
fcdbbb36b74f19406278db05919e64d449adbb41

SHA256
899f0f597f01d496a4bdfb8e0185a0a3ba68967d98079589e80de192fc035703

SHA512
977f22cfb94a0e3aede44a17134298dab2d4ca5f74e62e0b0d62a869e4173d82fe67d669968c3e353fef2e15082f8e1705d05664a56784695fefa565e2c262fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBServers32.exe

Filesize
54KB

MD5
6428b1de8971e837926de5b464725f64

SHA1
19d7ce6fff617b790f9de7bf99406e61061f0594

SHA256
8f53ab3cd172f685568e0cbb51eb7dfd2389a5fe6aaf47d0aa7d823253e673ee

SHA512
7938b01ce48bcdd3276c83f82fc71407d101f2e884b3f271a17fcf4c60af642faf57047edab97906351217f79847107757283af3fbfc3059cf4eb8e8d778d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBServers32.exe

Filesize
54KB

MD5
6428b1de8971e837926de5b464725f64

SHA1
19d7ce6fff617b790f9de7bf99406e61061f0594

SHA256
8f53ab3cd172f685568e0cbb51eb7dfd2389a5fe6aaf47d0aa7d823253e673ee

SHA512
7938b01ce48bcdd3276c83f82fc71407d101f2e884b3f271a17fcf4c60af642faf57047edab97906351217f79847107757283af3fbfc3059cf4eb8e8d778d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\eidolon.exe

Filesize
24KB

MD5
f3858fb30c8ddb74a11e85381009c438

SHA1
ab388dbb45109acd543d28030daf065e50e20a1b

SHA256
a1bf9bc23f97fee5a83ddcb3ba4d8fbbcc70fb2d871b325261be0ded72196fe9

SHA512
6aeb783c6ed7108480f956fd5b54a39a26d6257dc1c472d4d16700eb76be4276690596702fbc9a078662627673965584accf90449cd08dec461806ae3d57c0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eidolon.exe

Filesize
24KB

MD5
f3858fb30c8ddb74a11e85381009c438

SHA1
ab388dbb45109acd543d28030daf065e50e20a1b

SHA256
a1bf9bc23f97fee5a83ddcb3ba4d8fbbcc70fb2d871b325261be0ded72196fe9

SHA512
6aeb783c6ed7108480f956fd5b54a39a26d6257dc1c472d4d16700eb76be4276690596702fbc9a078662627673965584accf90449cd08dec461806ae3d57c0d1

Download Submit
C:\Windows\temp\Server32History.dat

Filesize
37KB

MD5
fd9aa418a3248e939b2e3c045d606e92

SHA1
fcdbbb36b74f19406278db05919e64d449adbb41

SHA256
899f0f597f01d496a4bdfb8e0185a0a3ba68967d98079589e80de192fc035703

SHA512
977f22cfb94a0e3aede44a17134298dab2d4ca5f74e62e0b0d62a869e4173d82fe67d669968c3e353fef2e15082f8e1705d05664a56784695fefa565e2c262fa

Download Submit
C:\Windows\temp\tttbrozzz.bat

Filesize
619B

MD5
11c954df2747603320031048077a43c9

SHA1
a3ba7949ffc100f0a131dbaa57641902291f28b7

SHA256
7fad654a85cd8b48cf5ce4338857c9dcda8998f6e796bd0cf4dc90173995cc5d

SHA512
d75d6a02843d1129ded907cc0f52203183c536daffc31dccf56b76df8053aba8b9dd04a8571631b1c8006fca414057833095247d4656cf1e68cd59374e4045b6

Download Submit
C:\Windows\temp\tttdelzzz.bat

Filesize
327B

MD5
d7ae40d256a0f06d26c9ff7d59b5f469

SHA1
1a36f1c0ed778f30eaf8bce42503dca035652b4e

SHA256
214f2b425582c51ae12d7d77f2a885ccd670412aaa5d31ebdcc3c3acc27f5177

SHA512
34f819d6ba271de830ed711c376953f7d2d537e3f3cfe1739cbb54aef47b5603e2b0053ee21c2b9a334b88df64683a517d655eaec8bc91777dac4b0c86f2d5cb

Download Submit

Analysis

Sharing