a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac

General

Target

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe
Size

1.3MB
MD5

cb90a2e16248a527f6cc7205ed3624bf
SHA1

9499e4d7c56caf13dc1c659d0d21f74ebca57225
SHA256

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac
SHA512

afada5ed5f801d350a75fbd5e178ffb805e32b4688107ab04e88c65e84e61fdaae56d60a23e0726afa443fae2efc6f39cd93479788a661a596ce207f14118e2f
SSDEEP

24576:UhQMSJvM7f824i1mRsWLP9wKn9gNg19rjgtB:m/xssWDaIamlgtB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Roamingflash_player_plugin.exe

pid process

1536 Roamingflash_player_plugin.exe

pid	process
1536	Roamingflash_player_plugin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

Loads dropped DLL 1 IoCs

Processes:

Roamingflash_player_plugin.exe

pid process

1536 Roamingflash_player_plugin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1536	Roamingflash_player_plugin.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Roamingflash_player_plugin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	Roamingflash_player_plugin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	Roamingflash_player_plugin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

pid process

4956 a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

description pid process

Token: SeDebugPrivilege 4956 a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Roamingflash_player_plugin.exe

pid process

1536 Roamingflash_player_plugin.exe
1536 Roamingflash_player_plugin.exe

pid	process
4956	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

description	pid	process
Token: SeDebugPrivilege	4956	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

pid	process
1536	Roamingflash_player_plugin.exe
1536	Roamingflash_player_plugin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe

description	pid	process	target process
PID 4956 wrote to memory of 1536	4956	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe	Roamingflash_player_plugin.exe
PID 4956 wrote to memory of 1536	4956	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe	Roamingflash_player_plugin.exe
PID 4956 wrote to memory of 1536	4956	a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe	Roamingflash_player_plugin.exe

C:\Users\Admin\AppData\Local\Temp\a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe
"C:\Users\Admin\AppData\Local\Temp\a37b876975b6a67c69cbf73b74bad8f209ce27a446cde8c25dfa6c57bd46f5ac.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
"C:\Users\Admin\AppData\Roamingflash_player_plugin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\downloader.dll
Filesize
737KB

MD5
d2acccef79bf5f16ec0905e1f95d18aa

SHA1
a7f598ac8ebfe0ec50aef2d79ddc8323dd87bfed

SHA256
e684394b4c22b60327ed95a163a7176a7f3bf5fb5ec0ed3d1cb6b83183f3fb7c

SHA512
67f97952cfe040c37fea5a9e49de90c9a0c495eaf120dff0146f94216a61efd19f0f6e15f85244f825d44b1d4b5168d48f23786eeb3fe8535a26835d98804f4f

Download Submit
C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
Filesize
1.0MB

MD5
05bd5ac2baf0abbce24deb916d0fb79c

SHA1
7070263d9c43c80b1b1f997268be72926cc0dc98

SHA256
f9f2e632535b214a0fab376b32cbee1cab6507490c22ba9e12cfa417ed8d72bb

SHA512
68837d7e5ccb97ec412c851660752f2aa45af5e4b0e09adcbea05aa3f95330813575c2e5c1c1b683820967e410725d120939b7498e578362f3c5a722655c5964

Download Submit
C:\Users\Admin\AppData\Roamingflash_player_plugin.exe
Filesize
1.0MB

MD5
05bd5ac2baf0abbce24deb916d0fb79c

SHA1
7070263d9c43c80b1b1f997268be72926cc0dc98

SHA256
f9f2e632535b214a0fab376b32cbee1cab6507490c22ba9e12cfa417ed8d72bb

SHA512
68837d7e5ccb97ec412c851660752f2aa45af5e4b0e09adcbea05aa3f95330813575c2e5c1c1b683820967e410725d120939b7498e578362f3c5a722655c5964

Download Submit
memory/1536-133-0x0000000000000000-mapping.dmp

Download
memory/1536-136-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1536-138-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4956-132-0x00007FFF3A260000-0x00007FFF3AC96000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads