93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e

General

Target

93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
Size

207KB
MD5

9399e7b6aaff16cb3991886f22b9ab00
SHA1

6182712304dd5de97c7a5c58fbcc4c50b377a92b
SHA256

93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e
SHA512

ee6f72309b0c7bf4cec908c9d0c2dd2d740b33e54a8820335b7f2ec6beb0c6007f32c882a8679ef0f93333f665913cfbaee0acb5c1e33c5acf129350c161011b
SSDEEP

3072:NX7DItrfaocyTgfsqQOlJlCCsqY9P1Aq7cngeFJEjOt9FhQ/Fi48AkybWAekvwc+:NsaocyLCZs13Xcnge863opWo5j3SFBb7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
392	installer.exe
1416	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	installer.exe

Loads dropped DLL 1 IoCs

pid	Process
5024	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	installer.exe
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1416	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
1416	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 392	5024	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	83
PID 5024 wrote to memory of 392	5024	93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe	83
PID 392 wrote to memory of 1416	392	installer.exe	85
PID 392 wrote to memory of 1416	392	installer.exe	85
PID 392 wrote to memory of 1416	392	installer.exe	85

C:\Users\Admin\AppData\Local\Temp\93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe
"C:\Users\Admin\AppData\Local\Temp\93ca3f63d340e0bbe1b1efc8fe60f7464639cb0d0fb8ed83fcf426318197379e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\installer.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830644 /dT131762338S /t
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f /e5830644 /dT131762338S /t
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
243KB

MD5
678d9bcf0b164946ecc4a7d422b93019

SHA1
ea0dc87b3434456f22cca5b6aa76678243ceff04

SHA256
f477294269369396f69f8f00db98661d2e1129c9b91d802af2509283a69ca062

SHA512
4fc2c36823e32af34366d217a1ccde551d79ee7a8b4ff633eb3c6b88936bcce9c5d4426f35798744184339e5c4c0709aad16a4226b60da7cf61a2d7b73f72deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\installer.exe

Filesize
174KB

MD5
9f338169d5cb0adf87025314e78be9ad

SHA1
1d4a15849706dfa24ed641bd46f95ef9f0a86751

SHA256
56cc8358d9947423db5f7c141091c3f3d42c3e78de1a39d6d559e85fae9066ff

SHA512
ece37478bd7f000aa3dbd60a22a7bca849cf7792e429d05e40766a9a4aff35979af8324348a9aba7d6c019f008b6c3d67c27a8dfcc8381c32a5d933dc556485f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfADDB.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/392-139-0x00007FFCECD20000-0x00007FFCED756000-memory.dmp

Filesize
10.2MB

Download
memory/1416-143-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1416-144-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing