b9814a1412b8e75a3ad2cc20ceb8fb29481083abdc68eed89cc0f16c16d30edb

General

Target

malware100.exe
Size

310KB
MD5

2413479832b9b9321256acf0fce95d57
SHA1

461e4d216541030229f5dfa682abd484b99a1c6c
SHA256

b9814a1412b8e75a3ad2cc20ceb8fb29481083abdc68eed89cc0f16c16d30edb
SHA512

5ad47558a002536295cb910109c12171312db0f9e24cb17ac9aab7a3c0715ae3ae095f9c4a77a66a5dc2e16ce4479a4f21174b0001608422cdaa22506922f91c
SSDEEP

6144:8cqoSgQc51P9A50S+F6uDbF9ayNfwNlPoaJUGUgNMEM9Ms5lfp4a:8FoS+1HS+F6ULP6SaJBDNMEeMxa

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	malware100.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XeonRegStart = "C:\\Xeon.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4496	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3012	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2908	taskkill.exe
1612	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	5016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5016	AUDIODG.EXE
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 3308	608	malware100.exe	78
PID 608 wrote to memory of 3308	608	malware100.exe	78
PID 3308 wrote to memory of 4324	3308	cmd.exe	82
PID 3308 wrote to memory of 4324	3308	cmd.exe	82
PID 3308 wrote to memory of 2980	3308	cmd.exe	84
PID 3308 wrote to memory of 2980	3308	cmd.exe	84
PID 2980 wrote to memory of 4632	2980	net.exe	85
PID 2980 wrote to memory of 4632	2980	net.exe	85
PID 3308 wrote to memory of 3012	3308	cmd.exe	86
PID 3308 wrote to memory of 3012	3308	cmd.exe	86
PID 3308 wrote to memory of 4312	3308	cmd.exe	87
PID 3308 wrote to memory of 4312	3308	cmd.exe	87
PID 3308 wrote to memory of 2124	3308	cmd.exe	88
PID 3308 wrote to memory of 2124	3308	cmd.exe	88
PID 3308 wrote to memory of 4496	3308	cmd.exe	89
PID 3308 wrote to memory of 4496	3308	cmd.exe	89
PID 3308 wrote to memory of 2908	3308	cmd.exe	92
PID 3308 wrote to memory of 2908	3308	cmd.exe	92
PID 3308 wrote to memory of 1612	3308	cmd.exe	93
PID 3308 wrote to memory of 1612	3308	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\malware100.exe
"C:\Users\Admin\AppData\Local\Temp\malware100.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70EA.tmp\70EB.bat C:\Users\Admin\AppData\Local\Temp\malware100.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "XeonRegStart" /t REG_SZ /d "C:\Xeon.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4324
- - C:\Windows\system32\net.exe
    net user Admin 9LP64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin 9LP64
      4⤵
      PID:4632
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Info.vbs"
    3⤵
    PID:4312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Message.vbs"
    3⤵
    PID:2124
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:4496
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM csrss.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM svchost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Info.vbs

Filesize
96B

MD5
3f0a3021c9183570a7a2350fbe8a50ca

SHA1
85da405fbcba7ebd2151c894aee13412fa90de41

SHA256
f5f4bd6043ce4ef52e59dc3d78eb3c25d26ba8b65fbbd4bcb2a06626013eb2d0

SHA512
d2848b9ec901ec61d89721db5534b976bebc8188971b49f5f81b09d626ea42d843bfbdafe1dc212b537d7ab6ca15211c0b5d4ea24a61b62a55af44070d36cd96

Download Submit
C:\Message.vbs

Filesize
47B

MD5
0f2ce130f4100f889ff2cbbb737fec89

SHA1
3b155f267564fc199d1d05d05fa3aa7995e4f74f

SHA256
e17579150850cbd086110308e873fe2320a67f8100a96175865af0eaeadbc986

SHA512
913ad1f676fe64bc17b362c2672ab8f2ec9e2e06e4db514c7301bed642f455b4d6919c4cbcbb80ab484fac2fe716f6a6d10caa7c54b1ac5709afe02bd7ca7351

Download Submit
C:\Users\Admin\AppData\Local\Temp\70EA.tmp\70EB.bat

Filesize
1KB

MD5
34ca341944b9467a396bbb8b8cfa2447

SHA1
bcf8439873eb5c1939e69ad9552373b55f6e6af4

SHA256
d695618bc6795f1802bc0fff25a171beb96ea348c7dde9394c67fb88b2b29b02

SHA512
503f4b0f8a2b66e0a50b588d290ab79fafe9c86e5bee2b9b58ddb98ed6424ccc364d3527cc494bb5621a1bb02b62fb63557b9dca95035e0c495d41c2bd25ae44

Download Submit
memory/608-136-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/608-132-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/608-133-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1612-147-0x0000000000000000-mapping.dmp

Download
memory/2124-142-0x0000000000000000-mapping.dmp

Download
memory/2908-146-0x0000000000000000-mapping.dmp

Download
memory/2980-138-0x0000000000000000-mapping.dmp

Download
memory/3012-140-0x0000000000000000-mapping.dmp

Download
memory/3308-134-0x0000000000000000-mapping.dmp

Download
memory/4312-141-0x0000000000000000-mapping.dmp

Download
memory/4324-137-0x0000000000000000-mapping.dmp

Download
memory/4496-145-0x0000000000000000-mapping.dmp

Download
memory/4632-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads