253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f

General

Target

253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
Size

31KB
MD5

3324b40b5d213bec291f9f86f0d80f64
SHA1

19742cb8591e590f5cda74a4d409790b113c4d17
SHA256

253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f
SHA512

85466678a40d656a27d23cf92ec42dd739052643c6646238ca79701ea5edd723720381fc6fa81dff99987b6d29d454f1d3ed2c6672fd66546c0a7a354265a7f3
SSDEEP

384:fVJc80u9sENIErVBx0q/qcRjRncvv1/pNxbHCcsAGqCiYyZtSWwdn:fVJc80NhEVBeiXivN9bHFGGYyZDwdn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

sspwn.exesspwn.exeghmnr.exeghmnr.exe

pid process

5060 sspwn.exe
5024 sspwn.exe
2360 ghmnr.exe
1648 ghmnr.exe

pid	process
5060	sspwn.exe
5024	sspwn.exe
2360	ghmnr.exe
1648	ghmnr.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exesspwn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	sspwn.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exesspwn.exeghmnr.exe

description	pid	process	target process
PID 3920 set thread context of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 5060 set thread context of 5024	5060	sspwn.exe	sspwn.exe
PID 2360 set thread context of 1648	2360	ghmnr.exe	ghmnr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exesspwn.exesspwn.exeghmnr.exe

description	pid	process	target process
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 3920 wrote to memory of 1180	3920	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
PID 1180 wrote to memory of 5060	1180	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	sspwn.exe
PID 1180 wrote to memory of 5060	1180	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	sspwn.exe
PID 1180 wrote to memory of 5060	1180	253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5060 wrote to memory of 5024	5060	sspwn.exe	sspwn.exe
PID 5024 wrote to memory of 2360	5024	sspwn.exe	ghmnr.exe
PID 5024 wrote to memory of 2360	5024	sspwn.exe	ghmnr.exe
PID 5024 wrote to memory of 2360	5024	sspwn.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe
PID 2360 wrote to memory of 1648	2360	ghmnr.exe	ghmnr.exe

C:\Users\Admin\AppData\Local\Temp\253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
"C:\Users\Admin\AppData\Local\Temp\253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe
"C:\Users\Admin\AppData\Local\Temp\253e58982140cc9190d35af6cb6af08ae036d53bc763ff470b2b482f9bd3598f.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\sspwn.exe
"C:\Users\Admin\AppData\Local\Temp\sspwn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\sspwn.exe
"C:\Users\Admin\AppData\Local\Temp\sspwn.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\ghmnr.exe
"C:\Users\Admin\AppData\Local\Temp\ghmnr.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\ghmnr.exe
"C:\Users\Admin\AppData\Local\Temp\ghmnr.exe"
6⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc NDIS NDIS-20221123-1221.dmp
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghmnr.exe

Filesize
123KB

MD5
ab43d0310edf82457bf256f63d9268cd

SHA1
a6190eefe4e504b99735ee86c2b0c96b1e7492b3

SHA256
e49e4179e819b138f70b17746b9777a9a3a3a5b34c68e65ac03916acbdad741f

SHA512
db53026304abc78bf192238783f4f036338f64506d024a2461fe66f13bb1e1750965438244490fafd12b402215278d3242822a4f3f2bebdad97b6c052cd4abfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghmnr.exe

Filesize
123KB

MD5
ab43d0310edf82457bf256f63d9268cd

SHA1
a6190eefe4e504b99735ee86c2b0c96b1e7492b3

SHA256
e49e4179e819b138f70b17746b9777a9a3a3a5b34c68e65ac03916acbdad741f

SHA512
db53026304abc78bf192238783f4f036338f64506d024a2461fe66f13bb1e1750965438244490fafd12b402215278d3242822a4f3f2bebdad97b6c052cd4abfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghmnr.exe

Filesize
123KB

MD5
ab43d0310edf82457bf256f63d9268cd

SHA1
a6190eefe4e504b99735ee86c2b0c96b1e7492b3

SHA256
e49e4179e819b138f70b17746b9777a9a3a3a5b34c68e65ac03916acbdad741f

SHA512
db53026304abc78bf192238783f4f036338f64506d024a2461fe66f13bb1e1750965438244490fafd12b402215278d3242822a4f3f2bebdad97b6c052cd4abfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sspwn.exe

Filesize
31KB

MD5
6e85943ef3900d82656f139c3ee89f4b

SHA1
30d87f6ab6eaf7ec6e606be50efd26f82e761745

SHA256
71d57cd477ce34056536641bf83da361b1b31cdf1c652bea5ceedb193864f191

SHA512
a03453fb545c6d077e6a124933a6b7a3ad53aa2e00f93a347a4b54ece83ea3345219c5d5ab3863501af6cd6e43246c63f8db40b4aa6df3e29031b0b736dad088

Download Submit
C:\Users\Admin\AppData\Local\Temp\sspwn.exe

Filesize
31KB

MD5
6e85943ef3900d82656f139c3ee89f4b

SHA1
30d87f6ab6eaf7ec6e606be50efd26f82e761745

SHA256
71d57cd477ce34056536641bf83da361b1b31cdf1c652bea5ceedb193864f191

SHA512
a03453fb545c6d077e6a124933a6b7a3ad53aa2e00f93a347a4b54ece83ea3345219c5d5ab3863501af6cd6e43246c63f8db40b4aa6df3e29031b0b736dad088

Download Submit
C:\Users\Admin\AppData\Local\Temp\sspwn.exe

Filesize
31KB

MD5
6e85943ef3900d82656f139c3ee89f4b

SHA1
30d87f6ab6eaf7ec6e606be50efd26f82e761745

SHA256
71d57cd477ce34056536641bf83da361b1b31cdf1c652bea5ceedb193864f191

SHA512
a03453fb545c6d077e6a124933a6b7a3ad53aa2e00f93a347a4b54ece83ea3345219c5d5ab3863501af6cd6e43246c63f8db40b4aa6df3e29031b0b736dad088

Download Submit
memory/1180-136-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1180-134-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1180-133-0x0000000000000000-mapping.dmp

Download
memory/1648-156-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1648-151-0x0000000000000000-mapping.dmp

Download
memory/1648-157-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1648-152-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2360-155-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2360-148-0x0000000000000000-mapping.dmp

Download
memory/3920-138-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3920-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3920-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5024-142-0x0000000000000000-mapping.dmp

Download
memory/5060-145-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5060-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads