f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd

General

Target

f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
Size

32KB
MD5

f40c293ff3d6915adad554926d785982
SHA1

7d040fcdce1f46d2ad2405f3d28019489624f7dc
SHA256

f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd
SHA512

2f7b303418e36635bd0d0103a2fa52cb81a83680734114ac46df968acec2a9efebf8f3f6c347630328415d68da077c0175fad51e51bf0cf02bd3b5ac52919fde
SSDEEP

384:zB1jprsW8cCCpKlOIEgKv427jOpBLnzQr6D6GpCwKVw5Dnwo:zB1dswKldrKvhCVQGRCwFD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

pxbyz.exepxbyz.exe

pid process

4884 pxbyz.exe
4928 pxbyz.exe

pid	process
4884	pxbyz.exe
4928	pxbyz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exepxbyz.exe

description	pid	process	target process
PID 4084 set thread context of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4884 set thread context of 4928	4884	pxbyz.exe	pxbyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exef1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exepxbyz.exe

description	pid	process	target process
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 4084 wrote to memory of 1636	4084	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
PID 1636 wrote to memory of 4884	1636	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	pxbyz.exe
PID 1636 wrote to memory of 4884	1636	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	pxbyz.exe
PID 1636 wrote to memory of 4884	1636	f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe
PID 4884 wrote to memory of 4928	4884	pxbyz.exe	pxbyz.exe

C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
"C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe
"C:\Users\Admin\AppData\Local\Temp\f1ed325e8134d3e7f2422dec303f853767b784398be60abcba915dd93f751bbd.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
4⤵
- Executes dropped EXE
PID:4928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
55e4949d2a94470f94da5373c30b8481

SHA1
395850029a4e411e06df26060a9a75dee2430833

SHA256
965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9

SHA512
cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
55e4949d2a94470f94da5373c30b8481

SHA1
395850029a4e411e06df26060a9a75dee2430833

SHA256
965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9

SHA512
cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
55e4949d2a94470f94da5373c30b8481

SHA1
395850029a4e411e06df26060a9a75dee2430833

SHA256
965882785bb1ffaa11d49591618ad9636ab30a845fed1d69bd9ae3d50b88ceb9

SHA512
cd9e63253eb69cdf11a86232bae129b414600109bff5cd6e4c5dc2d88c3fa160fd5b3978b9edc44f57cb0a841618490a315bc9ae8726970ac0a2ce2a48f8e07e

Download Submit
memory/1636-133-0x0000000000000000-mapping.dmp

Download
memory/1636-134-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1636-136-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4084-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4084-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4884-138-0x0000000000000000-mapping.dmp

Download
memory/4884-145-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4928-141-0x0000000000000000-mapping.dmp

Download
memory/4928-146-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads