28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9

General

Target

28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe
Size

464KB
MD5

1e114977ed8b4d54c0d98c4c9393df23
SHA1

ab86b9f2b64f6c6993b69f1c9bf7278eced61e70
SHA256

28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9
SHA512

b8d36f288f49ec4ed7defdad9ad6b02867470029595e720d4b5ffff3a8985a9e89c6e9722a6db7a7dad46a134a53c0457224bf9c288f8ce7bb655c9c2d21fe55
SSDEEP

6144:gsbaKMUtcUeGBa7J0Cn+RzI3fiUkCSPpARl/KtIfEuX7K0kzmOCe4FFBN9EP:gyaKVOUzBY0Cn91SPkoIMSKk1e45+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Lettera.exe

pid process

2272 Lettera.exe

pid	process
2272	Lettera.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Lettera.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Lettera.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemEngine = "C:\\Caches\\MShelp.exe"	Lettera.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Lettera.exe

pid process

2272 Lettera.exe
2272 Lettera.exe

pid	process
2272	Lettera.exe
2272	Lettera.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe

description	pid	process	target process
PID 2080 wrote to memory of 2272	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	Lettera.exe
PID 2080 wrote to memory of 2272	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	Lettera.exe
PID 2080 wrote to memory of 2272	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	Lettera.exe
PID 2080 wrote to memory of 2304	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	notepad.exe
PID 2080 wrote to memory of 2304	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	notepad.exe
PID 2080 wrote to memory of 2304	2080	28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe
"C:\Users\Admin\AppData\Local\Temp\28aa09d572469232184004dea8ea6402528ef85dbbf9b64ab9a77064d116f0e9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" lettera.txt
2⤵
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe
Filesize
20KB

MD5
93ac5955ad3c8f4d244764d130c2ece9

SHA1
de6d3ba861829684039facb6aa311ceb0e24cf67

SHA256
1d0e1272856103a19b5bd45f288e25cf5a3767d998956fba683ab4ffcea88284

SHA512
725997e5085a1f28ea468754d61ebbd109636c772e035d56757377ef5ec2577fbbe7e6da9561ff6a4be8cfc5391bf1b3da7eba9159dc228bfb4d190c0f7577f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lettera.exe
Filesize
20KB

MD5
93ac5955ad3c8f4d244764d130c2ece9

SHA1
de6d3ba861829684039facb6aa311ceb0e24cf67

SHA256
1d0e1272856103a19b5bd45f288e25cf5a3767d998956fba683ab4ffcea88284

SHA512
725997e5085a1f28ea468754d61ebbd109636c772e035d56757377ef5ec2577fbbe7e6da9561ff6a4be8cfc5391bf1b3da7eba9159dc228bfb4d190c0f7577f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MShelp.exe
Filesize
44KB

MD5
eaafec0d3050536bb518780471a99c1b

SHA1
51209809e0cba80e254a49c33e97e0163899e460

SHA256
db1a09ea4113e6d6710cf6674c6613b94e4f804dd1ad28f7b0e4fea6a8e84f06

SHA512
4bb04fe0c459f9f899975cec9cb732603d0e0da82cbc65de5a6e040a0644456ec22082a294c8ea37f04e1f4f21cc320116ecd487e24e15c782e82a9e86c8816f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\csrss (64 bit).exe
Filesize
817KB

MD5
7f2588848040af6f4d8c43f6b6fb34c8

SHA1
3ac628d3383a362fe7c6ece81eeae96a9736970e

SHA256
426efa3e5951ef5bbaf8ea397a9754f776bd68201a1cfa18dfa247ae142d9e77

SHA512
e38a219e25d7cbc56ad4b3ebbe6cfc4ef8afcf66deb6394750f3644f7947540d57204e6512a923df2bffe8983107293982c452696fdedf76064b0e067974272c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lettera.txt
Filesize
1KB

MD5
2b10ef1679073e8f9c9b0fafed742ce8

SHA1
070e76a25e26e8d03e46bb026725e95193df8fa4

SHA256
a53bb2c253b256d8df5b7c29e5f5ff909230d1d6d6f30296d1996ce628949204

SHA512
ffbadd14ad7ac88821a8562aedd1150417e382d71d3b822e72cd2cd916a55badfa526575d598821309bafc814f7c4e9c8861e1adc9e7018603ceda8c887dc8af

Download Submit
memory/2272-132-0x0000000000000000-mapping.dmp

Download
memory/2304-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads