a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25

General

Target

a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe
Size

92KB
MD5

829c571d4e493decde84cae4da3b3d00
SHA1

3d4672501d68ed72493b553820cc64674a9fb398
SHA256

a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25
SHA512

67dc58bd1740808b4c6b60a55e5088c89b12265602b877e277896b4d019ac381aae29c4a850ccc32d7e62dd1695038478bcd7eb1a11395658419b1a025655cd6
SSDEEP

1536:vztXrx6mqhy3gnjTH9ZYmOEI9TwjXTQbFaxXni51pY:Nx6mqhy3gnjTH9ZYmOx9TwHQbFaxsW

Score

8^/10

persistence upx vmprotect

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2596-132-0x0000000000400000-0x0000000000419000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0009000000022e25-137.dat	vmprotect
behavioral2/files/0x0009000000022e25-138.dat	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	rundll32.exe
1408	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sfcos.dll	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe
File created	C:\Windows\SysWOW64\systemp	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe
1408	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2052	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	79
PID 2596 wrote to memory of 2052	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	79
PID 2596 wrote to memory of 2052	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	79
PID 2596 wrote to memory of 5004	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	81
PID 2596 wrote to memory of 5004	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	81
PID 2596 wrote to memory of 5004	2596	a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe	81
PID 5004 wrote to memory of 1408	5004	cmd.exe	83
PID 5004 wrote to memory of 1408	5004	cmd.exe	83
PID 5004 wrote to memory of 1408	5004	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe
"C:\Users\Admin\AppData\Local\Temp\a7b3852ce66047a12c1d9fbde162623989370d7691b65b1bf707ab6208cafb25.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\sfc.exe
  "C:\Windows\system32\sfc.exe" /REVERT
  2⤵
  PID:2052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\del.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\s6am.ime,Runed
    3⤵
    - Loads dropped DLL
    - Modifies WinLogon
    - Suspicious behavior: EnumeratesProcesses
    PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\s6am.ime

Filesize
53KB

MD5
0482db20d77f48d7f60dcfcf8758ca80

SHA1
927b9b8f75018ff7cb2e281c9a3e1bf91c648e98

SHA256
0a44d6917096257bd6aee903acf1283f3436c20c1bbd74fde1adca5de09c5df0

SHA512
5ac094c9e5351fd8658167cd292aed7433b1943b51343b36cac7acb10eac22c650645716f3331d3a8df27d6411fd24911ef61f6c66fff269ce0f3f86a791e6ba

Download Submit
C:\Windows\SysWOW64\s6am.ime

Filesize
53KB

MD5
0482db20d77f48d7f60dcfcf8758ca80

SHA1
927b9b8f75018ff7cb2e281c9a3e1bf91c648e98

SHA256
0a44d6917096257bd6aee903acf1283f3436c20c1bbd74fde1adca5de09c5df0

SHA512
5ac094c9e5351fd8658167cd292aed7433b1943b51343b36cac7acb10eac22c650645716f3331d3a8df27d6411fd24911ef61f6c66fff269ce0f3f86a791e6ba

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\SysWOW64\sfcos.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\SysWOW64\systemp

Filesize
4KB

MD5
c508ac8d5cd9412c5facc89c75f72f84

SHA1
be568e613fcd4382d9e55a7ad52e59c904d28b19

SHA256
9a41324466cad79fa321896b1f7b7e6eee500535d3e30ca8a86e07f8b261e5a9

SHA512
a8422381db900e3a78f751333da637a3ff2c34081672c1fca74da6aadd56fd5d0aa000500ea0d277be36235c8dfbf9fc9d9600394b6ee583e4b36315968ffb83

Download Submit
\??\c:\del.bat

Filesize
195B

MD5
02b0af2f17d4cd91fb690c8d6afe6f91

SHA1
3022451f70fc5a21094fc763bc5092ba2fafe1d7

SHA256
1591a4c6a0e8d9d428822157d73d25cd9ecb92b3d93a3fcf2b434fcfc2378448

SHA512
4762c4e449871e9038ea7e39ab82fceab8b559bd8d14c0c4c5f6567bba6d58196d82efd7fdcff9e2aa0f452ed1859120e3593a21ec8c11771038a57fae452156

Download Submit
memory/2596-132-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing