3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f

General

Target

3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
Size

545KB
MD5

b8db78f37e022651b0dd36077d131028
SHA1

91ba41b7fbf328865e10c9bf23372092ebdb9cd3
SHA256

3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f
SHA512

15bf3ba2e0f61faaabb23083b90b8260ceed1f50b9c1b60c3a9fc8bc1634392c827a777ba2a2ac35c07f8b0d433620681ee3c71123ffcde4536fc2775c02b4fa
SSDEEP

12288:ipU6okHN7TDkgJqL3/7HgGslIm/eUVvGLHa+a00xiXc5XAaJ:oUpkJTlqL3/7AGslI4JGb4YgJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

39 1776 rundll32.exe
49 1776 rundll32.exe
58 1776 rundll32.exe
60 1776 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

file.exe3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe

pid process

2084 file.exe
3612 3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe

flow	pid	process
39	1776	rundll32.exe
49	1776	rundll32.exe
58	1776	rundll32.exe
60	1776	rundll32.exe

pid	process
2084	file.exe
3612	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1776 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1776	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exefile.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 3192	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	cmd.exe
PID 1408 wrote to memory of 3192	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	cmd.exe
PID 1408 wrote to memory of 3192	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	cmd.exe
PID 1408 wrote to memory of 2084	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	file.exe
PID 1408 wrote to memory of 2084	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	file.exe
PID 1408 wrote to memory of 2084	1408	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe	file.exe
PID 2084 wrote to memory of 1776	2084	file.exe	rundll32.exe
PID 2084 wrote to memory of 1776	2084	file.exe	rundll32.exe
PID 2084 wrote to memory of 1776	2084	file.exe	rundll32.exe
PID 2084 wrote to memory of 1468	2084	file.exe	cmd.exe
PID 2084 wrote to memory of 1468	2084	file.exe	cmd.exe
PID 2084 wrote to memory of 1468	2084	file.exe	cmd.exe
PID 3192 wrote to memory of 3612	3192	cmd.exe	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
PID 3192 wrote to memory of 3612	3192	cmd.exe	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
PID 3192 wrote to memory of 3612	3192	cmd.exe	3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe

C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
"C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_ms0378.bat" "C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe
"C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe"
3⤵
- Executes dropped EXE
PID:3612

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8E3.dll",ADB_Release
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8E3.bat" "
3⤵
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f67e2ca1cffb27cd75e9567907f68d17730eb469c8cdff4473883fa58cded4f.exe

Filesize
267KB

MD5
591f2bbf6431b8f181a1bf7cf8a9a009

SHA1
97ce4a4f32db41d799cb728f48e6b68279810049

SHA256
a1f571076b34c79c908e76652c77e9d2a3a4995357588a9b6bd75b1c35cdd3f5

SHA512
251bfaf8fffca0f1fabde72a18c8decbf0ba1081915011504f4573d7fd73016f4b6fa6feb83b1cc5ce1a07a49e4af08ec1aeaa10ed1b5a8722b550b492ffa8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3.bat

Filesize
138B

MD5
3931e315289df5c55dec614157de9269

SHA1
f08f5cf30f5bdf3ebaa64248252c811f6bda2f9e

SHA256
80ed1a76550e9b48a90fce6ee9e4a940ce0827277bdfc5a5ceac9dbebfd1634b

SHA512
cdf5b8aabe485dee57a3f862d05bb42f8065cf2ba2e0147a850d211b844192c8d00c7660ab8b93a2d656bbac923831e04fbd52ac2312fe4bb1d14e039520d873

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3.dll

Filesize
123KB

MD5
c8eb6040fd02d77660d19057a38ff769

SHA1
b491c14d8cfb48636f6095b7b16555e9a575d57f

SHA256
366affd094cc63e2c19c5d57a6866b487889dab5d1b07c084fff94262d8a390b

SHA512
36d8bc7f18bbb62cfaf012a1e0539301d7eb1104b2f3bd79025f72e2a8f688e8d2b20f229253f8d387e25cb67f60e4306b6dab2b7e054f439c1a750bec896e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drivers_Setup.exe.org

Filesize
267KB

MD5
591f2bbf6431b8f181a1bf7cf8a9a009

SHA1
97ce4a4f32db41d799cb728f48e6b68279810049

SHA256
a1f571076b34c79c908e76652c77e9d2a3a4995357588a9b6bd75b1c35cdd3f5

SHA512
251bfaf8fffca0f1fabde72a18c8decbf0ba1081915011504f4573d7fd73016f4b6fa6feb83b1cc5ce1a07a49e4af08ec1aeaa10ed1b5a8722b550b492ffa8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ms0378.bat

Filesize
234B

MD5
b90d268e2b23121a5d6e20a852834f50

SHA1
4531066b348a55814eb519719e4d9a78649065ec

SHA256
a38f77a09e58fbc0c771e2f64fe95464ec3446255a20677ef12de09a60556571

SHA512
a87c2c50d201de6027ada0eb5d0b33d5f71781c5a474065d0c7d7af14d65b953acfe583661feec28c803b5a7cd171ac26c90221f8a21fb0defe15b3a5ad0a51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
214KB

MD5
28f96a57fa5ff663926e9bad51a1d0cb

SHA1
a75995f94854dea8799650a2f4a97980b71199d2

SHA256
19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d

SHA512
104a8be2c460f73ac953711f677c8666b5831bebd64ec01b722c14270f4ceaef1f3564b00006f47bb25c42f67137d746b72be57e3d2bcb9bd98908784ef3339b

Download Submit
memory/1468-139-0x0000000000000000-mapping.dmp

Download
memory/1776-137-0x0000000000000000-mapping.dmp

Download
memory/2084-133-0x0000000000000000-mapping.dmp

Download
memory/3192-132-0x0000000000000000-mapping.dmp

Download
memory/3612-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing