4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471

General

Target

4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe
Size

1.6MB
MD5

8c9ee3bfbe51d974f7803fa5befb8ee9
SHA1

8102be0780e16aa9ccc6a219c94b7fe2f1b60aac
SHA256

4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471
SHA512

a552ea7f72223163c0ea338a1d4d69e961d4a68204cea0b89e580d2d155627b2f9a566ce0c65c0c6641b42253b225f9a24ac005f29671b8e7c39cf9dfe00201f
SSDEEP

24576:GD3aW204oHwEbVO8GI9nx8ZTDHrN/Sg6N5UYoIcvCNmplQYSm326:GDuCdhO8hnxqTDHR/h6V/tETQem6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Tmp2808277a.exeTmp2808277a.tmp

pid process

100 Tmp2808277a.exe
1540 Tmp2808277a.tmp

pid	process
100	Tmp2808277a.exe
1540	Tmp2808277a.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exeTmp2808277a.tmpcmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Tmp2808277a.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Tmp2808277a.tmp

pid process

1540 Tmp2808277a.tmp
1540 Tmp2808277a.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Tmp2808277a.tmp

pid process

1540 Tmp2808277a.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

pid	process
1540	Tmp2808277a.tmp
1540	Tmp2808277a.tmp

pid	process
1540	Tmp2808277a.tmp

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.execmd.exeTmp2808277a.exeTmp2808277a.tmpcmd.exe

description	pid	process	target process
PID 2124 wrote to memory of 2292	2124	4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe	cmd.exe
PID 2124 wrote to memory of 2292	2124	4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe	cmd.exe
PID 2124 wrote to memory of 2292	2124	4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe	cmd.exe
PID 2292 wrote to memory of 100	2292	cmd.exe	Tmp2808277a.exe
PID 2292 wrote to memory of 100	2292	cmd.exe	Tmp2808277a.exe
PID 2292 wrote to memory of 100	2292	cmd.exe	Tmp2808277a.exe
PID 100 wrote to memory of 1540	100	Tmp2808277a.exe	Tmp2808277a.tmp
PID 100 wrote to memory of 1540	100	Tmp2808277a.exe	Tmp2808277a.tmp
PID 100 wrote to memory of 1540	100	Tmp2808277a.exe	Tmp2808277a.tmp
PID 1540 wrote to memory of 3480	1540	Tmp2808277a.tmp	cmd.exe
PID 1540 wrote to memory of 3480	1540	Tmp2808277a.tmp	cmd.exe
PID 1540 wrote to memory of 3480	1540	Tmp2808277a.tmp	cmd.exe
PID 3480 wrote to memory of 4996	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 4996	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 4996	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 4184	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 4184	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 4184	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 3844	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3844	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3844	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 1784	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1784	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1784	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2680	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2680	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2680	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 1124	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1124	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1124	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1388	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 1388	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 1388	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3048	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 3048	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 3048	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 3164	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3164	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3164	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 1392	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1392	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 1392	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2944	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2944	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2944	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2868	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2868	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2868	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 3136	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3136	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 3136	3480	cmd.exe	cmd.exe
PID 3480 wrote to memory of 2188	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2188	3480	cmd.exe	findstr.exe
PID 3480 wrote to memory of 2188	3480	cmd.exe	findstr.exe
PID 2292 wrote to memory of 5076	2292	cmd.exe	WScript.exe
PID 2292 wrote to memory of 5076	2292	cmd.exe	WScript.exe
PID 2292 wrote to memory of 5076	2292	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe
"C:\Users\Admin\AppData\Local\Temp\4e2d15b97cde8f1d4a479e4baa8d6cf0101be41761be5eb9aa493235cf21f471.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Install.cmd" "
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\Tmp2808277a.exe
"Tmp2808277a.exe" /VERYSILENT /SP- /PASSWORD=rkxssufmqa /NOICONS
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100

C:\Users\Admin\AppData\Local\Temp\is-1N818.tmp\Tmp2808277a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1N818.tmp\Tmp2808277a.tmp" /SL5="$C004E,557516,158720,C:\Users\Admin\AppData\Local\Temp\Tmp2808277a.exe" /VERYSILENT /SP- /PASSWORD=rkxssufmqa /NOICONS
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Update\Install.cmd" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:4996

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "5.0"
6⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:3844

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "5.1."
6⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:2680

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "5.2."
6⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:1388

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "6.0."
6⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:3164

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "6.1."
6⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:2944

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "6.2."
6⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" VER "
6⤵
PID:3136

C:\Windows\SysWOW64\findstr.exe
FINDSTR /IL "6.3."
6⤵
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1.vbs"
3⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.vbs
Filesize
295B

MD5
def16d2c14676a317b479f4c11ec5e8f

SHA1
82b0cc60b1f220fc11b33ded6625285ccb4cce3e

SHA256
06b46a348e15d42e03e412d2904be61c5c05f59c4e8b61c82f764ec004bddad5

SHA512
bd645f7ac153582f767b0e1c4efcc4a2870bb282a39c9dd5a4362143fb855a0fc4becbf3892e5f636dd56b3970cfeccc040ebe8c11da81002a6cea85a384fde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.cmd
Filesize
910B

MD5
3a5f329869cfcfc7cb5307a99f37dfe5

SHA1
d6218478ba50e6519a5d0173ec8c6aeb65fcc73b

SHA256
67078ccdfa9015ccd3886fbc8a7e83359e98032dbd6b0cb544389fca8ec9e235

SHA512
9043c5cd8e256e1c356fb3e3b3f542f536e9ab149f3ed0680f5fe8ba0ae3a86c81176e26aacfe864310dd265265bad2b029d6cf54065e442d7cfb3ca85109d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2808277a.exe
Filesize
1011KB

MD5
e2615d11f3b2495d6ed7a8a1868bf6d1

SHA1
da70022b4380e7377468192416b20ed781426d30

SHA256
ad55fadb5b697777fcc5096b2c49a688edb0d714b4bed57bc45e0267667d6812

SHA512
bab1cf1e6794545a783388cf489bad3db1862b45197488d68b76dcfa4597ad1a3879a4ae4ec7c0c68d53921552f80c19624d7f98e25ee644dc8ef9287cc591be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2808277a.exe
Filesize
1011KB

MD5
e2615d11f3b2495d6ed7a8a1868bf6d1

SHA1
da70022b4380e7377468192416b20ed781426d30

SHA256
ad55fadb5b697777fcc5096b2c49a688edb0d714b4bed57bc45e0267667d6812

SHA512
bab1cf1e6794545a783388cf489bad3db1862b45197488d68b76dcfa4597ad1a3879a4ae4ec7c0c68d53921552f80c19624d7f98e25ee644dc8ef9287cc591be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1N818.tmp\Tmp2808277a.tmp
Filesize
1.4MB

MD5
f67cd91eeb61d724d8679faf29016bbf

SHA1
766144299f2a4d2a913969ba4c8f2d95d598ce1a

SHA256
6ab77596f4cbcad65191ce592ff53d281cc89cb9906ce3abe99c1bad623bb7bf

SHA512
eb51c8d66d585d653b16b6c903a222b0b4b933ecd0d79e438fa294d29ac8b1c559e3b8ffaf61f045ccf5967799c8e6a797cd8d8cb5bbe3475673d994f6bfb979

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1N818.tmp\Tmp2808277a.tmp
Filesize
1.4MB

MD5
f67cd91eeb61d724d8679faf29016bbf

SHA1
766144299f2a4d2a913969ba4c8f2d95d598ce1a

SHA256
6ab77596f4cbcad65191ce592ff53d281cc89cb9906ce3abe99c1bad623bb7bf

SHA512
eb51c8d66d585d653b16b6c903a222b0b4b933ecd0d79e438fa294d29ac8b1c559e3b8ffaf61f045ccf5967799c8e6a797cd8d8cb5bbe3475673d994f6bfb979

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Update\Install.cmd
Filesize
1KB

MD5
4f577343d9fd430bcf92bec4d585cf2f

SHA1
5a8af590699ed805c05676c9162149647db6bd71

SHA256
521df39b52b3ecc9d0a0700608dd976a15712e08d495b9849b52e4fc2ff299f6

SHA512
fc090f58d7f8b7c65f981ed5e1c797189c1334db00718fb5137ee03b9f92c4b03e88ba18ea4be48575d3a0e1b15055c3cb95eef66b190d2982cf6c3d167bac61

Download Submit
memory/100-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/100-134-0x0000000000000000-mapping.dmp

Download
memory/100-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/100-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1124-150-0x0000000000000000-mapping.dmp

Download
memory/1388-151-0x0000000000000000-mapping.dmp

Download
memory/1392-154-0x0000000000000000-mapping.dmp

Download
memory/1540-139-0x0000000000000000-mapping.dmp

Download
memory/1784-148-0x0000000000000000-mapping.dmp

Download
memory/2188-158-0x0000000000000000-mapping.dmp

Download
memory/2292-132-0x0000000000000000-mapping.dmp

Download
memory/2680-149-0x0000000000000000-mapping.dmp

Download
memory/2868-156-0x0000000000000000-mapping.dmp

Download
memory/2944-155-0x0000000000000000-mapping.dmp

Download
memory/3048-152-0x0000000000000000-mapping.dmp

Download
memory/3136-157-0x0000000000000000-mapping.dmp

Download
memory/3164-153-0x0000000000000000-mapping.dmp

Download
memory/3480-143-0x0000000000000000-mapping.dmp

Download
memory/3844-147-0x0000000000000000-mapping.dmp

Download
memory/4184-146-0x0000000000000000-mapping.dmp

Download
memory/4996-145-0x0000000000000000-mapping.dmp

Download
memory/5076-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing