78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152

General

Target

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
Size

32KB
MD5

2cf817952883313ef3635569720dcbc0
SHA1

eac3afa4e4d0ee2d6a20e3ce8ae54463b7a23179
SHA256

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152
SHA512

bbe72539bdb123bd3337b626bbff6178014ae98556c022197701cbee0edf63a825235882cef4f64022fb4bf2cd6d74e6e4104eb2b4e799821a1fa1d39a8d7d74
SSDEEP

384:zB1jprsW8cCCpKlOIEgKv427jOpBLnzQr6D6GpCwKVw5Dnw:zB1dswKldrKvhCVQGRCwF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

pxbyz.exepxbyz.exe

pid process

208 pxbyz.exe
1820 pxbyz.exe

pid	process
208	pxbyz.exe
1820	pxbyz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exe

description	pid	process	target process
PID 4912 set thread context of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 208 set thread context of 1820	208	pxbyz.exe	pxbyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exe

description	pid	process	target process
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4912 wrote to memory of 4152	4912	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 4152 wrote to memory of 208	4152	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 4152 wrote to memory of 208	4152	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 4152 wrote to memory of 208	4152	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe
PID 208 wrote to memory of 1820	208	pxbyz.exe	pxbyz.exe

C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
4⤵
- Executes dropped EXE
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
memory/208-137-0x0000000000000000-mapping.dmp

Download
memory/208-143-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1820-140-0x0000000000000000-mapping.dmp

Download
memory/1820-145-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4152-132-0x0000000000000000-mapping.dmp

Download
memory/4152-133-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4152-136-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4912-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads