5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c

General

Target

5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe
Size

168KB
MD5

b06d8708ce180fd6963d94f530303058
SHA1

f60c0c2a9ff177dd606aa96175fa96b17714c238
SHA256

5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c
SHA512

5b9e601b074be5718458a7ede9394ec82bbb972cd0da63dc643a05b96ced93e0cd682237fb72f91d7a14890d856e788ce07c271636a1db9a672a1e7036660cae
SSDEEP

1536:TCl8jequo9Qtr/OLMf1Y8hitviXrSkuDM5QSOK:TPjw1/OLiYZoSk+Md

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

LocalteRpknufjC.exeSystem Idle Process.exe

pid process

2212 LocalteRpknufjC.exe
4940 System Idle Process.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2356 netsh.exe

pid	process
2212	LocalteRpknufjC.exe
4940	System Idle Process.exe

pid	process
2356	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exeLocalteRpknufjC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LocalteRpknufjC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exeLocalteRpknufjC.exeSystem Idle Process.exe

description	pid	process	target process
PID 4152 wrote to memory of 2212	4152	5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe	LocalteRpknufjC.exe
PID 4152 wrote to memory of 2212	4152	5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe	LocalteRpknufjC.exe
PID 4152 wrote to memory of 2212	4152	5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe	LocalteRpknufjC.exe
PID 2212 wrote to memory of 4940	2212	LocalteRpknufjC.exe	System Idle Process.exe
PID 2212 wrote to memory of 4940	2212	LocalteRpknufjC.exe	System Idle Process.exe
PID 2212 wrote to memory of 4940	2212	LocalteRpknufjC.exe	System Idle Process.exe
PID 4940 wrote to memory of 2356	4940	System Idle Process.exe	netsh.exe
PID 4940 wrote to memory of 2356	4940	System Idle Process.exe	netsh.exe
PID 4940 wrote to memory of 2356	4940	System Idle Process.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe
"C:\Users\Admin\AppData\Local\Temp\5a189d57775d13eaa7e2cf5c461dffa4ac61baca5abc3a3835cef2a1c0aac91c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\LocalteRpknufjC.exe
"C:\Users\Admin\AppData\LocalteRpknufjC.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Roaming\System Idle Process.exe
"C:\Users\Admin\AppData\Roaming\System Idle Process.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System Idle Process.exe" "System Idle Process.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalteRpknufjC.exe

Filesize
10KB

MD5
36fab9add490f06b900219718b0cfe11

SHA1
12f52e7ac9b8f1f5ec709262bb71a2865fe24ec1

SHA256
293c27a0817c2900910ed538d4cc54faa62318ae58a6c6d6b74e0080da4fd5f7

SHA512
f885787bb9c8bea1fa10b8126ced82242c25c11acb59ec68062f9cb41b0dfb4c07b41d012251733ec9a1dd63e7a6ba33dd771a0f70b6060c4fddcdd2845f7de7

Download Submit
C:\Users\Admin\AppData\LocalteRpknufjC.exe

Filesize
10KB

MD5
36fab9add490f06b900219718b0cfe11

SHA1
12f52e7ac9b8f1f5ec709262bb71a2865fe24ec1

SHA256
293c27a0817c2900910ed538d4cc54faa62318ae58a6c6d6b74e0080da4fd5f7

SHA512
f885787bb9c8bea1fa10b8126ced82242c25c11acb59ec68062f9cb41b0dfb4c07b41d012251733ec9a1dd63e7a6ba33dd771a0f70b6060c4fddcdd2845f7de7

Download Submit
C:\Users\Admin\AppData\Roaming\System Idle Process.exe

Filesize
10KB

MD5
36fab9add490f06b900219718b0cfe11

SHA1
12f52e7ac9b8f1f5ec709262bb71a2865fe24ec1

SHA256
293c27a0817c2900910ed538d4cc54faa62318ae58a6c6d6b74e0080da4fd5f7

SHA512
f885787bb9c8bea1fa10b8126ced82242c25c11acb59ec68062f9cb41b0dfb4c07b41d012251733ec9a1dd63e7a6ba33dd771a0f70b6060c4fddcdd2845f7de7

Download Submit
C:\Users\Admin\AppData\Roaming\System Idle Process.exe

Filesize
10KB

MD5
36fab9add490f06b900219718b0cfe11

SHA1
12f52e7ac9b8f1f5ec709262bb71a2865fe24ec1

SHA256
293c27a0817c2900910ed538d4cc54faa62318ae58a6c6d6b74e0080da4fd5f7

SHA512
f885787bb9c8bea1fa10b8126ced82242c25c11acb59ec68062f9cb41b0dfb4c07b41d012251733ec9a1dd63e7a6ba33dd771a0f70b6060c4fddcdd2845f7de7

Download Submit
memory/2212-133-0x0000000000000000-mapping.dmp

Download
memory/2212-136-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2212-140-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/2356-141-0x0000000000000000-mapping.dmp

Download
memory/4152-132-0x00007FFF3A260000-0x00007FFF3AC96000-memory.dmp

Filesize
10.2MB

Download
memory/4940-137-0x0000000000000000-mapping.dmp

Download
memory/4940-142-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download
memory/4940-143-0x0000000074750000-0x0000000074D01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing