402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

General

Target

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Size

271KB
MD5

c238b0d3cdd6ca72003e01b29bf3ddf7
SHA1

26ebb8833981cadd288f579fc0a75d24a9faecaf
SHA256

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c
SHA512

d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d
SSDEEP

6144:ErL9IN25Y5iBsxchLMQq3BdqpIfnquBIK2l/3Hctlff:EL9IkUms6FnqRiuSl/XIff

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

pid process

364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

pid	process
364	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

pid process

364 402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

pid	process
364	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

description	pid	process
Token: SeDebugPrivilege	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Token: SeDebugPrivilege	364	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Token: SeDebugPrivilege	364	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

description	pid	process	target process
PID 2656 wrote to memory of 364	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
PID 2656 wrote to memory of 364	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
PID 2656 wrote to memory of 364	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
PID 2656 wrote to memory of 5092	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	cmd.exe
PID 2656 wrote to memory of 5092	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	cmd.exe
PID 2656 wrote to memory of 5092	2656	402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
"C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
"C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
2⤵
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Filesize
271KB

MD5
c238b0d3cdd6ca72003e01b29bf3ddf7

SHA1
26ebb8833981cadd288f579fc0a75d24a9faecaf

SHA256
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

SHA512
d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

Download Submit
C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
Filesize
271KB

MD5
c238b0d3cdd6ca72003e01b29bf3ddf7

SHA1
26ebb8833981cadd288f579fc0a75d24a9faecaf

SHA256
402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

SHA512
d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

Download Submit
memory/364-134-0x0000000000000000-mapping.dmp

Download
memory/364-138-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/364-139-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2656-132-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2656-133-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/5092-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads