2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c

General

Target

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe
Size

847KB
MD5

85ddd555295bd869fe9c4ee07ca81c44
SHA1

5a358ba5d3e9f780972f3d67886882cb944492b5
SHA256

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c
SHA512

19549d00437fb42333dd09f1cfa503ee5ab2999f89d1336d7b17303873593ccaf73998eaf0f441c02164f3cf7c60ee727250a8a06ae9eaf9e8f2e968647679bc
SSDEEP

24576:lX48QE+U2JGAUPZjHQKpQyVhqsMA0oPxD:lXz+rGAwDQqpAc0yxD

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

free_update1905.exesvchost.exe

pid process

744 free_update1905.exe
2288 svchost.exe

pid	process
744	free_update1905.exe
2288	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

Drops startup file 1 IoCs

Processes:

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\íàïîìèíàíèå.txt	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

free_update1905.exesvchost.exe

pid process

744 free_update1905.exe
2288 svchost.exe

pid	process
744	free_update1905.exe
2288	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exeEXCEL.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\svchost.exe	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe
File opened for modification	C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\STATS.xls	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe
File opened for modification	C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\STATS.xls	EXCEL.EXE
File opened for modification	C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\free_update1905.exe	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2036 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exefree_update1905.exe

pid process

2288 svchost.exe
2288 svchost.exe
744 free_update1905.exe
744 free_update1905.exe

pid	process
2288	svchost.exe
2288	svchost.exe
744	free_update1905.exe
744	free_update1905.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe

description	pid	process	target process
PID 3316 wrote to memory of 744	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	free_update1905.exe
PID 3316 wrote to memory of 744	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	free_update1905.exe
PID 3316 wrote to memory of 744	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	free_update1905.exe
PID 3316 wrote to memory of 2288	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	svchost.exe
PID 3316 wrote to memory of 2288	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	svchost.exe
PID 3316 wrote to memory of 2288	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	svchost.exe
PID 3316 wrote to memory of 2036	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	EXCEL.EXE
PID 3316 wrote to memory of 2036	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	EXCEL.EXE
PID 3316 wrote to memory of 2036	3316	2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe
"C:\Users\Admin\AppData\Local\Temp\2a448ebda2c2366a8e29854838cfd2315cf4b58d45f23b396a7b884f1b07b13c.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\free_update1905.exe
"C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\free_update1905.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\svchost.exe
"C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\STATS.xls"
2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\STATS.xls

Filesize
21KB

MD5
32c492aa3f4a4c3b57918455758bd88c

SHA1
8f2814531b1ae2ea908a45097ad19f845e69fba9

SHA256
af81104c4ddf128e4ddc4d47f1f5c8ee8c4919b047bd3a633e3dcf8b50c8b8e5

SHA512
e120ef2f2f9d2662e28ff8c67f3922a8391fcdf8d0932c3d9ee6ad74bb8b35b8a648ea2e5d81e34e4f5cdd75c78085f6edb09e25e557b4aaeda4a7d6ac6b9124

Download Submit
C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\free_update1905.exe

Filesize
231KB

MD5
60722dcf5e9d82dd40003b733df129c2

SHA1
626e87d002de7dca5bb5723a5734e47b3a04648b

SHA256
7351c2dc2aabc46700faeacd40cdf68f94a75903301d6210d7bc3326173319fe

SHA512
d277e840d6cb5af8d818ea739b3e3a1e87ba22969a23c831152d17862a943ea056ac442aff93b772aeab9c9460be2bcbda28ffe8cdf081f037ef7470b1db813f

Download Submit
C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\free_update1905.exe

Filesize
231KB

MD5
60722dcf5e9d82dd40003b733df129c2

SHA1
626e87d002de7dca5bb5723a5734e47b3a04648b

SHA256
7351c2dc2aabc46700faeacd40cdf68f94a75903301d6210d7bc3326173319fe

SHA512
d277e840d6cb5af8d818ea739b3e3a1e87ba22969a23c831152d17862a943ea056ac442aff93b772aeab9c9460be2bcbda28ffe8cdf081f037ef7470b1db813f

Download Submit
C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\svchost.exe

Filesize
430KB

MD5
d0bafd78468ceef802dcbde8d93491f9

SHA1
052a0c8068bcbc91058cf5b05be5ee4b82d07419

SHA256
7e0a3e72aee4240cedaf09dbc7c1c9805cfbb41bb2fd0fb3997cae97b32f28c3

SHA512
03133a07198875e7d28fc3a7b6e809a1506b09c6859923305b9a4aead1fc72ef3913532dd5d26adbdfab0769d29524e105002255e76c6bf1c083493e90af6f47

Download Submit
C:\Program Files (x86)\WinRaR.inc\Àðõèâå WinRaR\svchost.exe

Filesize
430KB

MD5
d0bafd78468ceef802dcbde8d93491f9

SHA1
052a0c8068bcbc91058cf5b05be5ee4b82d07419

SHA256
7e0a3e72aee4240cedaf09dbc7c1c9805cfbb41bb2fd0fb3997cae97b32f28c3

SHA512
03133a07198875e7d28fc3a7b6e809a1506b09c6859923305b9a4aead1fc72ef3913532dd5d26adbdfab0769d29524e105002255e76c6bf1c083493e90af6f47

Download Submit
memory/744-138-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/744-132-0x0000000000000000-mapping.dmp

Download
memory/744-139-0x00000000029E0000-0x0000000002A22000-memory.dmp

Filesize
264KB

Download
memory/744-158-0x00000000029E0000-0x0000000002A22000-memory.dmp

Filesize
264KB

Download
memory/744-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/744-155-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/744-151-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/744-150-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2036-148-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/2036-156-0x00007FF85FF60000-0x00007FF85FF70000-memory.dmp

Filesize
64KB

Download
memory/2036-147-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-144-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-145-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-166-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-143-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-165-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-164-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-163-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2036-140-0x0000000000000000-mapping.dmp

Download
memory/2036-146-0x00007FF862050000-0x00007FF862060000-memory.dmp

Filesize
64KB

Download
memory/2288-141-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2288-142-0x0000000002450000-0x0000000002492000-memory.dmp

Filesize
264KB

Download
memory/2288-159-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2288-160-0x0000000002450000-0x0000000002492000-memory.dmp

Filesize
264KB

Download
memory/2288-135-0x0000000000000000-mapping.dmp

Download
memory/2288-154-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2288-153-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2288-152-0x0000000003BE0000-0x0000000003BE3000-memory.dmp

Filesize
12KB

Download
memory/2288-149-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads