201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6

General

Target

201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
Size

206KB
MD5

397274aa8167c58ef72f28bc03351a43
SHA1

bea78819e92c222e5a7e92d36d40176714d46d06
SHA256

201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6
SHA512

203f549f1f617be8261ae8d4189bba3fef359b3e2e1f00a28bf61b33a1d2ccd6c5931e58167956212d6169b4156b2a9f6493cbfa653f7170fff86316d2e60221
SSDEEP

3072:5wxVMhOC/dTDbq91+mno3t4QZQ3raVsNT+s+YNRXA5ZqpyTfbP:5TfFDbRnOTraya5YNRwCyLbP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	jpeg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimeServer = "C:\\Program Files (x86)\\TimeServer\\jpeg.exe"	reg.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TimeServer\jpeg.jpeg	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\jpeg.exe	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer\jpeg.exe	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\__tmp_rar_sfx_access_check_240554046	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\start.bat	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File opened for modification	C:\Program Files (x86)\TimeServer\start.bat	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
File created	C:\Program Files (x86)\TimeServer\jpeg.jpeg	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4124	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1700	reg.exe
1668	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	tasklist.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 3044	380	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	84
PID 380 wrote to memory of 3044	380	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	84
PID 380 wrote to memory of 3044	380	201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe	84
PID 3044 wrote to memory of 1700	3044	cmd.exe	86
PID 3044 wrote to memory of 1700	3044	cmd.exe	86
PID 3044 wrote to memory of 1700	3044	cmd.exe	86
PID 3044 wrote to memory of 1668	3044	cmd.exe	87
PID 3044 wrote to memory of 1668	3044	cmd.exe	87
PID 3044 wrote to memory of 1668	3044	cmd.exe	87
PID 3044 wrote to memory of 4124	3044	cmd.exe	88
PID 3044 wrote to memory of 4124	3044	cmd.exe	88
PID 3044 wrote to memory of 4124	3044	cmd.exe	88
PID 3044 wrote to memory of 4848	3044	cmd.exe	89
PID 3044 wrote to memory of 4848	3044	cmd.exe	89
PID 3044 wrote to memory of 4848	3044	cmd.exe	89
PID 3044 wrote to memory of 2944	3044	cmd.exe	90
PID 3044 wrote to memory of 2944	3044	cmd.exe	90
PID 3044 wrote to memory of 2944	3044	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe
"C:\Users\Admin\AppData\Local\Temp\201eda697f3c0a2bc732ee572240db5ee00e659f32ceab34d70f5adb56c37be6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\TimeServer\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer /v TimeServer /t REG_DWORD /d 0x313B7CC1 /f
    3⤵
    - Modifies registry key
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v TimeServer /t REG_SZ /d "C:\Program Files (x86)\TimeServer\jpeg.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1668
- - C:\Windows\SysWOW64\tasklist.exe
    TaskList /FI "ImageName EQ jpeg.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\SysWOW64\find.exe
    Find /I "jpeg.exe"
    3⤵
    PID:4848
- - C:\Program Files (x86)\TimeServer\jpeg.exe
    jpeg.exe
    3⤵
    - Executes dropped EXE
    PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
C:\Program Files (x86)\TimeServer\jpeg.exe

Filesize
97KB

MD5
5501dd2471a3a7e37dd8d8eb5fdaea9f

SHA1
26a4029b5b0b476f8b4f9067aadbc4b129025046

SHA256
61acbfb8f49261df48726799a989b71a15674cca69e8c05c04112811d4da3ad7

SHA512
33ae6764c906935c29f7b25431d3dc58b191b7f33bee8aaf127be1f28159dc89148c3ff2ca7ba712ccfe80aca0cb498035ddc66981cf5fd894e87e6717dcc33c

Download Submit
C:\Program Files (x86)\TimeServer\start.bat

Filesize
650B

MD5
6271e788faeabe8a54abc798b4d4c19c

SHA1
4950fc7d5baac79ddebb1bbaf41225cd292f6fe9

SHA256
cf59a44c219a1c167ab50295d557fcef65e797686b7538e110b4e919e13487c3

SHA512
dec3b6270e5e2a8b640ef24aa2d503e30ce7db656f0b860f901d92450b200f51166081644fc509fe4fd839d416398b3e4abb75706bc9d7fa0a42a1656e59322b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads