3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1

General

Target

3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
Size

9.7MB
MD5

370face2217f895e49ddb4e35e8e3e82
SHA1

6b832f9e68bba84793999fe046ef78dca0b2b368
SHA256

3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1
SHA512

d578118640d5f994c9ab9062b80e97c933c677c6005ee8ce4aab251d7e974f6949ae1c6cff7569d6473f62e62108845205bb401783b2c094e14a69f5e59b185d
SSDEEP

196608:Dr4xPwOOnujoYRP1y9WbrdHO6b0NnpM9dO7Grk6sKA763IT:ePLOujobirkVnMdUh6dA7a4

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	lykelkyhxntxufha.exe
4808	msoffice_2013_activation.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lykelkyhxntxufha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2648	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4808	msoffice_2013_activation.exe
4808	msoffice_2013_activation.exe
4808	msoffice_2013_activation.exe
4808	msoffice_2013_activation.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5112	lykelkyhxntxufha.exe
4808	msoffice_2013_activation.exe
1972	cmd.exe
4808	msoffice_2013_activation.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 5112	4560	3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe	80
PID 4560 wrote to memory of 5112	4560	3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe	80
PID 4560 wrote to memory of 5112	4560	3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe	80
PID 5112 wrote to memory of 1972	5112	lykelkyhxntxufha.exe	82
PID 5112 wrote to memory of 1972	5112	lykelkyhxntxufha.exe	82
PID 5112 wrote to memory of 1972	5112	lykelkyhxntxufha.exe	82
PID 5112 wrote to memory of 4808	5112	lykelkyhxntxufha.exe	84
PID 5112 wrote to memory of 4808	5112	lykelkyhxntxufha.exe	84
PID 5112 wrote to memory of 4808	5112	lykelkyhxntxufha.exe	84
PID 1972 wrote to memory of 4800	1972	cmd.exe	85
PID 1972 wrote to memory of 4800	1972	cmd.exe	85
PID 1972 wrote to memory of 4800	1972	cmd.exe	85
PID 1972 wrote to memory of 2648	1972	cmd.exe	87
PID 1972 wrote to memory of 2648	1972	cmd.exe	87
PID 1972 wrote to memory of 2648	1972	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe
"C:\Users\Admin\AppData\Local\Temp\3e3e3f5c37238aacc44dedc36bc8b021240fe7e29efb4c6dae69bcf9599847b1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe
  "C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe" pjindv.bat++msoffice_2013_activation.exe++++++++++++
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pjindv.bat" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe
    "C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe

Filesize
128KB

MD5
ddb7111169df883196164ff9a54ba67d

SHA1
ba918e63fd8e0a2b05965ec2057d92935124d7af

SHA256
ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06

SHA512
2ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lykelkyhxntxufha.exe

Filesize
128KB

MD5
ddb7111169df883196164ff9a54ba67d

SHA1
ba918e63fd8e0a2b05965ec2057d92935124d7af

SHA256
ead12b5339f6850e6d95381c243bf04c1bdea3138531996d634bff88af15cb06

SHA512
2ede94ba107b8430ee376fbf12e98c1cb80b0c25686dd09760bd268d71bb33ce41ffb7bde7a8d6820d52a2c6b4668c1a687bf1679a2bd046fe16d67ccf126b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe

Filesize
9.8MB

MD5
7545fe9c09892fb95924e18665514dd3

SHA1
a3d8c56c16a3f1ef1b8e38d0fd99e567e152cbf0

SHA256
ac95e33296dc6e76692285f768a82e802c6f5f53a02330a759166ee0df7b6506

SHA512
acc168da266314f45e6e03d54793884cd84010b3fb8d1d71d29d63c54367ccc4b85672272613c5b59755ca76fd77a2e2449a627bae836fc5d7bf4478ad6e8b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\msoffice_2013_activation.exe

Filesize
9.8MB

MD5
7545fe9c09892fb95924e18665514dd3

SHA1
a3d8c56c16a3f1ef1b8e38d0fd99e567e152cbf0

SHA256
ac95e33296dc6e76692285f768a82e802c6f5f53a02330a759166ee0df7b6506

SHA512
acc168da266314f45e6e03d54793884cd84010b3fb8d1d71d29d63c54367ccc4b85672272613c5b59755ca76fd77a2e2449a627bae836fc5d7bf4478ad6e8b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjindv.bat

Filesize
6KB

MD5
810a5002284d818215391ca22db9768e

SHA1
fb1957d41c845fa888be71aefe143ffdd15c68e9

SHA256
691322279fd6be9c1d19dd21de6766791b0d3f50e7cfdf51df048347f1e661d1

SHA512
c69aaad0b7858ca5572e64a0271e7b8600352f969d36f7510cfb1ed7777957ec211b20197c074853003e9a1c3aa23779c91418a1ee09dc8518fa16770fcd788e

Download Submit
memory/4808-143-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download
memory/4808-144-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download
memory/4808-145-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download
memory/4808-146-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing