8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f

General

Target

8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
Size

57KB
MD5

05235f9361740c5959703b042beb75c6
SHA1

b835673593a1b277a8bf2e6f7f15462b7a69982b
SHA256

8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f
SHA512

7c181d7bd2d4d88eb919ae61c4348791f4d78621df54775b100dff8ed1cac368a1073633d2ac112432e7a5e31ceb2eb8242fa73eb4742f222d82784ad956ae1a
SSDEEP

768:3noLSdKfBF3gUvcvzCGG/iLHmbo1LIfVzabgEYdLOA3q6T4+I3ASz5Wxb+hSXZjc:3oLvTP/QHmiLJhyZ3D4+IQSzohfBO

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1564	Obbtos.exe
2000	Heexzqu.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4072-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4072-133-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0008000000023131-135.dat	upx
behavioral2/files/0x0008000000023131-136.dat	upx
behavioral2/memory/1564-138-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4072-139-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1564-141-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0004000000022654-142.dat	upx
behavioral2/files/0x0004000000022654-143.dat	upx
behavioral2/memory/2000-144-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1564-146-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2000-148-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Obbtos.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe	Obbtos.exe
File opened for modification	C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe	Obbtos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	Obbtos.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
1564	Obbtos.exe
1564	Obbtos.exe
2000	Heexzqu.exe
2000	Heexzqu.exe
1564	Obbtos.exe
1564	Obbtos.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	Heexzqu.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 1564	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	86
PID 4072 wrote to memory of 1564	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	86
PID 4072 wrote to memory of 1564	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	86
PID 4072 wrote to memory of 4632	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	87
PID 4072 wrote to memory of 4632	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	87
PID 4072 wrote to memory of 4632	4072	8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe	87
PID 1564 wrote to memory of 4624	1564	Obbtos.exe	89
PID 1564 wrote to memory of 4624	1564	Obbtos.exe	89
PID 1564 wrote to memory of 4624	1564	Obbtos.exe	89

C:\Users\Admin\AppData\Local\Temp\8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe
"C:\Users\Admin\AppData\Local\Temp\8a3e6626bdb8b608fd3ab327f399a50c724a07eded0d8b99a72c3dfe90ace58f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Obbtos.exe
  "C:\Obbtos.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\7892.vbs"
    3⤵
    PID:4624
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\8471.vbs"
  2⤵
  PID:4632

C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe
"C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7892.vbs

Filesize
500B

MD5
370fb54517cfab1f4c7b9360a8caa01c

SHA1
0af21ded7ef9fd8474b8a503e18875d65de40ab1

SHA256
5be50e7dbea1d23a3cdec418fe5b5a8c246701a24e740ac5177185b1c4c3e7b3

SHA512
30a8bd319019e8477336ddfd2fd5ca847145df1dbbf7a2d1adc931b26dc241b7591756a2298b9f8dc572044583e19dfc541c6facd475763960efca756b644842

Download Submit
C:\8471.vbs

Filesize
500B

MD5
f431ab2c14779f2c006be95645fc3ede

SHA1
669e2e10aa769c008e81ffb3c4487fe995e848aa

SHA256
d9e61410f77021b4c7b71b5ef1400e5d03fb0ec2d709321a9263e688d58ea6dc

SHA512
2fab3e89df106a9c9c8f3e75be9745aef5a5253e918ff120b703067731333a8f24827fdb0a144d2884e2d0246bbf55488154253bfa0c89bc2d5fe3702a98353e

Download Submit
C:\Obbtos.exe

Filesize
50.1MB

MD5
5fa17ddec040a6cada1121d67ad262b8

SHA1
5e2c81a94ab0d9c270b08bf7e3be4d9f7569930a

SHA256
40c3e40a169cc181c9c9b0f8cce5586f71364511e0babcd9b16b45303c78f1f4

SHA512
261628bfb4aa158ae2ac2cd5b2c4882c413dce378d662878434ef27722e4d71bfecaba00083e47008fc876db1264a2798543617c32a8541f104e4d4f8ec72f7b

Download Submit
C:\Obbtos.exe

Filesize
50.1MB

MD5
5fa17ddec040a6cada1121d67ad262b8

SHA1
5e2c81a94ab0d9c270b08bf7e3be4d9f7569930a

SHA256
40c3e40a169cc181c9c9b0f8cce5586f71364511e0babcd9b16b45303c78f1f4

SHA512
261628bfb4aa158ae2ac2cd5b2c4882c413dce378d662878434ef27722e4d71bfecaba00083e47008fc876db1264a2798543617c32a8541f104e4d4f8ec72f7b

Download Submit
C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe

Filesize
50.1MB

MD5
5fa17ddec040a6cada1121d67ad262b8

SHA1
5e2c81a94ab0d9c270b08bf7e3be4d9f7569930a

SHA256
40c3e40a169cc181c9c9b0f8cce5586f71364511e0babcd9b16b45303c78f1f4

SHA512
261628bfb4aa158ae2ac2cd5b2c4882c413dce378d662878434ef27722e4d71bfecaba00083e47008fc876db1264a2798543617c32a8541f104e4d4f8ec72f7b

Download Submit
C:\Program Files (x86)\Windows Kgoaco\Heexzqu.exe

Filesize
50.1MB

MD5
5fa17ddec040a6cada1121d67ad262b8

SHA1
5e2c81a94ab0d9c270b08bf7e3be4d9f7569930a

SHA256
40c3e40a169cc181c9c9b0f8cce5586f71364511e0babcd9b16b45303c78f1f4

SHA512
261628bfb4aa158ae2ac2cd5b2c4882c413dce378d662878434ef27722e4d71bfecaba00083e47008fc876db1264a2798543617c32a8541f104e4d4f8ec72f7b

Download Submit
memory/1564-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1564-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4072-139-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4072-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4072-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing