075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b

General

Target

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
Size

234KB
MD5

9ee6d29b1b568feaa87123ed03f36db3
SHA1

678fc28a78ca1727dbb5974efd4c784ae1c3c6ab
SHA256

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b
SHA512

2cb6a4963692946323bdfe6ba67852f444d3fdf27a98e7ddb2d642c3749acef8ae26bc77f2e6591f381e651ada9f3b27a06eee498507ad84bb9fa594a68fdeb5
SSDEEP

6144:VnBThdqtE1FE8ndWLQGnxrn1FwIClJkgFc32v:nbDNQZJcTbk/S

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

retydtfdt26.exe26.exe

pid process

2240 retydtfdt26.exe
3064 26.exe

pid	process
2240	retydtfdt26.exe
3064	26.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4176-132-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe	upx
behavioral2/memory/2240-139-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2240-141-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4176-143-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exeretydtfdt26.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	retydtfdt26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3660 3064 WerFault.exe 26.exe

pid	pid_target	process	target process
3660	3064	WerFault.exe	26.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exeretydtfdt26.exe

description	pid	process	target process
PID 4176 wrote to memory of 2240	4176	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 4176 wrote to memory of 2240	4176	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 4176 wrote to memory of 2240	4176	075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe	retydtfdt26.exe
PID 2240 wrote to memory of 3064	2240	retydtfdt26.exe	26.exe
PID 2240 wrote to memory of 3064	2240	retydtfdt26.exe	26.exe
PID 2240 wrote to memory of 3064	2240	retydtfdt26.exe	26.exe

C:\Users\Admin\AppData\Local\Temp\075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe
"C:\Users\Admin\AppData\Local\Temp\075eb2293e555722f119bc94d6a8883674a48150ee9df9c10ed863882c77544b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe"
3⤵
- Executes dropped EXE
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 224
4⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3064 -ip 3064
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\26.exe

Filesize
115KB

MD5
2867fa0ccf392cf85ace1b318090f743

SHA1
98254a515c1e942eb3c7099d8a68c9bcf2eb8ab8

SHA256
dfd6952ea037c6f994f4615468bb06b06628b533b4b22ee80d11b9929372d4b8

SHA512
eb646809163994f52ab42ace1e9dd1fd1eb41ea5fad4ec8fe3f96b26836a9eab94f7331317f5e70995e9436433dd68726cab22f1865b91177628003f0b1072c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.exe

Filesize
71KB

MD5
86abf19f9f136c4f80c6b76b45eb2d8c

SHA1
ff8562326e4240a0c5e87c6f5759bb45134c0b2c

SHA256
0b5e2a2354e60cea8f47029faf5b32fd171efe102fbf9d82bedff6427b39c55a

SHA512
e913f031af3d51777169cd26c3d6403a2c6957f12b44a16accf653f0f2d2fe3eb0b629816bc22c3a27b33f7ab9cd7eda3dddf13d39a96b8dfbf911f71e85ae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\retydtfdt26.jpg

Filesize
17KB

MD5
90523847abf53a0c973c0e6c6978c260

SHA1
ac57fdfb5e03316a59dcc453736441b2b98fbd92

SHA256
83f65e76f4e9725f1c074187ae30b17aaefe31d0d5c24f56fe09057dc3ccbdec

SHA512
7f7b9eace21ad241e1213f61a2f8964fc60fc0e5244a3a492f005d8b4fa007a02e1d88bb5a723860c36b21428aa8b6dd9158d07b7456752e96c2445ca0fdb920

Download Submit
memory/2240-133-0x0000000000000000-mapping.dmp

Download
memory/2240-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2240-141-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3064-137-0x0000000000000000-mapping.dmp

Download
memory/3064-140-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4176-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4176-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads