d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0

General

Target

d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe
Size

1021KB
MD5

95137d52dce532616b93fff2ddd7f5cf
SHA1

10d6a91389011af9f68c7d8c9b966c6414837a51
SHA256

d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0
SHA512

e9315a839209877ed52e6af31f7d2acfb1fdf8c80536948eb573b7403efcb97b498e10e840851b78ad5dc461c0fae46817d19fedb40fb3c8aaaaca2b6089d78e
SSDEEP

24576:GNvBfKBCQNr+9wiBDYt5Py+9Qo68pjkMdtYwHT4ZVGy+Xj+w9zV:GyFJ+yjPy+GApjkMdV1y+j9V

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3176	DiskMark64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5028-135-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/5028-145-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3176	DiskMark64.exe
3176	DiskMark64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3176	5028	d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe	82
PID 5028 wrote to memory of 3176	5028	d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe	82

C:\Users\Admin\AppData\Local\Temp\d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe
"C:\Users\Admin\AppData\Local\Temp\d0fe35383667ed049142ed6e7be2b3b31a821e14cbf1ad70cfbd9874d59c23d0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\DiskMark64.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\DiskMark64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\language\SimplifiedChinese.lang

Filesize
3KB

MD5
91db3161fbebf862b666a3b798d75271

SHA1
0cc6f54f2f13f1610161195085a5d942d26fe7e1

SHA256
08516b66deab61823875dfed9e0dfe8aaebda8817b8180e238800596834a578d

SHA512
a16e683fcbcea997f6ba4b2a1c708dfccfa0f29491197d906004b5aeee160c66ba1b9abdd16f1298044f06a64e9aa93691076fd5af7b87227a32eb73981a314c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\themes\Default\Background-300.png

Filesize
317B

MD5
f561a163c8b8611aace3e34724a3fa5e

SHA1
0dbc7c62eb9d49124bb88c3f5c5a7c7b29ad5c13

SHA256
66ca57706e6dc57bc89f82ffe8f675f6be003cce667bdb0dc6cfe34a49dbc120

SHA512
07e61f68f424ba2ec033270a1ed0c03bbb34ddce3f84425ed656495f58c054212970524e5e2d501e7050979d24ca3f006580786e280e08cf8ff949b1df287bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\themes\Default\Button-100.png

Filesize
924B

MD5
e15adc0b6c9bf043f57058b4bc7b5c98

SHA1
898a29e420d551c32a961cffe5f88a0425c77a76

SHA256
239ee37f77f47bd4ad659d80102f09c2dfbd40c1e21349459d71eeb17041fe70

SHA512
3e1be498e0c495287437ca7c2f731b65229e1c70257be73e7ecb8dbda08d30fff6ec7fe059add1561253a9cefa6453c3ebfb74cad12d62fa4a310e7af93d186c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\themes\Default\Comment-100.png

Filesize
149B

MD5
c1ff4f93267af709e77c9e432be70e0a

SHA1
96fc9911f484a23ad8119db6e0f188a240ccf823

SHA256
942efd0840ef57940a750f6ca8793e121b3d7391b6f73a1501ceb188df1eef20

SHA512
03f71fbb22767613fd156507b488b3d05f0b05e436bc114204fb1787e3168dbeaaee33dc61b98289d74890e669067ec8b1862118dd03800fc771057e4c33035e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\themes\Default\Meter-100.png

Filesize
477B

MD5
7656da04023e33102a7e48eb18360c8b

SHA1
fb821bfed795517776f8b3f06ddf278489242866

SHA256
30ff8e598220b3906154cbb9fdc29b2314d8b32eb64479ca6922015fd0b4cdb3

SHA512
00752d37d3421642080dd3bea18c5b950c93b47f33cf5a5f79cc4fe58ee0a4670847c26f3bb6ebee659b3089c32650765c16dc68429b06237d7832ecde014aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\CdmResource\themes\Default\theme.ini

Filesize
336B

MD5
735d49812e72631aa5c3ee78d186797e

SHA1
cca700d5146519be67e92d0615d07a9d95e4a3c2

SHA256
ae7383c83859c6df229a3d0d726648014f0e964994588fc80e1223dada6fc373

SHA512
bbffd4400f253dfb02dcf365a108415a52230e5a3f3c1b591ac47a5d5359f33b6d5d11678ffe7cbd4f418ce9da907cdd4f58df32615fcab559588d5d467f74f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\DiskMark64.exe

Filesize
855KB

MD5
6b94198aaae330ff92777ab587ca99cf

SHA1
de6df27b52298034c5dc90f2213eecbb99aa2636

SHA256
9aa2bfaf6877bec9cef7d30f211594e8e56d4920b171f99631d368dbf25bc06e

SHA512
f0527785891748177f0ecc9f18b28111879809a735e6fb5695f7254cbdd29d7072a9f2944c2e05be79f9d7a23e12144482e5b7683b747cfbfa260866c1ffbe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskMark\DiskMark64.ini

Filesize
142B

MD5
8cdd7960b0f71b08673c2d7dab519262

SHA1
7947c3343954547a6333b560b4b331891756362f

SHA256
6d72504e57ed3a19165bb521afa930192dd27a4fb34140787880b04abe74223b

SHA512
0b17b42f99c15b871539bf19b5e677c54816d5be32db12f695f83608f397155d3ed5f86f4e0197a17edb318cc210ecaf3fd16fd6c2da67164f657d91c6ca8151

Download Submit
memory/5028-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5028-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing