ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4

General

Target

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
Size

2.4MB
MD5

54a7c19c3978126a1120de7b6af5d48c
SHA1

bf8ca5950b9f0ccb64a15a192c718c5e0fab9f5b
SHA256

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4
SHA512

28c7ff438a3b02098bb6d85ea4eabd4ce0a678ca933c5f2b7d380ed88e634677f6dbca2c0a9ede366ece329b7809029e339bb50d4444d2ac1877898c3412e1f0
SSDEEP

49152:WxoIUFS2336KoEBCGCdJzjUxnC+EnvAhezw9o+ZZ7hGeJ3TuzcC4:PIUFSbK1C7/zYxCXhzw9o+DMmyzcL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

END 4 IDM.exeend.exe

pid process

2564 END 4 IDM.exe
1676 end.exe

pid	process
2564	END 4 IDM.exe
1676	end.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exeEND 4 IDM.execmd.execmd.exe

description	pid	process	target process
PID 876 wrote to memory of 2564	876	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 876 wrote to memory of 2564	876	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 876 wrote to memory of 2564	876	ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe	END 4 IDM.exe
PID 2564 wrote to memory of 3356	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 3356	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 3356	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 3588	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 3588	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 3588	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4700	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4700	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4700	2564	END 4 IDM.exe	cmd.exe
PID 4700 wrote to memory of 4704	4700	cmd.exe	attrib.exe
PID 4700 wrote to memory of 4704	4700	cmd.exe	attrib.exe
PID 4700 wrote to memory of 4704	4700	cmd.exe	attrib.exe
PID 2564 wrote to memory of 2640	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 2640	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 2640	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4352	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4352	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4352	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4712	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4712	2564	END 4 IDM.exe	cmd.exe
PID 2564 wrote to memory of 4712	2564	END 4 IDM.exe	cmd.exe
PID 4712 wrote to memory of 4764	4712	cmd.exe	mode.com
PID 4712 wrote to memory of 4764	4712	cmd.exe	mode.com
PID 4712 wrote to memory of 4764	4712	cmd.exe	mode.com
PID 4712 wrote to memory of 1676	4712	cmd.exe	end.exe
PID 4712 wrote to memory of 1676	4712	cmd.exe	end.exe
PID 4712 wrote to memory of 1676	4712	cmd.exe	end.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4704 attrib.exe

pid	process
4704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe
"C:\Users\Admin\AppData\Local\Temp\ff49b00b01057c6effc71e75ccefcded580ed896a41120a532422200a72be1b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876

C:\Temp\END 4 IDM.exe
"C:\Temp\END 4 IDM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
3⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"
3⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
3⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp
4⤵
- Views/modifies file attributes
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5046.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5046.bat"
3⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4578.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp4578.exe"
3⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5046.bat "C:\Temp\END 4 IDM.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\mode.com
mode 13,1
4⤵
PID:4764

C:\Temp\end.exe
end.exe
4⤵
- Executes dropped EXE
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
C:\Temp\END 4 IDM.exe

Filesize
76KB

MD5
944712b001e1a9eed533069a032e6509

SHA1
854d21eb7c2637da1a26c2e92666c572cb62c903

SHA256
f8454f89e87391e3076f0ca77edf41007bf3e6c2fc2810f37e016b3126ad589f

SHA512
f57d31ba445c8cd234dca7db2492b3df360cb5678691f5968d457c9d735775eed74a893c5b09abf9558d8cbbf6acce715b6c60fa935264da68e27301c7d5ad81

Download Submit
C:\Temp\end.exe

Filesize
849KB

MD5
607598876e9dc8bcb7afb6ad25b88f10

SHA1
530cd0b31445c7a436025842dfecd10c1fccd83e

SHA256
dab4f5ba7f100ce986be92c6129534223ca700c1828509e2f456a533e56d400f

SHA512
8116fa7d887e1193a621f67069624a772be5b60978fb2e3851767813f3a63ee99a2bba27fc0a0a321180d73f1554dce9ba14159ad420463a7dbb6cca0fd71191

Download Submit
C:\Temp\end.exe

Filesize
849KB

MD5
607598876e9dc8bcb7afb6ad25b88f10

SHA1
530cd0b31445c7a436025842dfecd10c1fccd83e

SHA256
dab4f5ba7f100ce986be92c6129534223ca700c1828509e2f456a533e56d400f

SHA512
8116fa7d887e1193a621f67069624a772be5b60978fb2e3851767813f3a63ee99a2bba27fc0a0a321180d73f1554dce9ba14159ad420463a7dbb6cca0fd71191

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5046.bat

Filesize
464B

MD5
2da3c9433c40fd56aa43cfc7991d9cc4

SHA1
d641f84b872e149ca4d7b30ac54c5284b7fe500b

SHA256
fbe7efd2bb72681d3040ed298bd390956b5e59cdcd166754daf740c299915bf3

SHA512
54597432839914a3ad33197a1d8c6cb5cd025a49f281296c07a8cdfee6df5cb67580f91d459bbfab29a232aac08d1f843a3eab2798e5971ec8ec3f0316009c1a

Download Submit
memory/1676-147-0x0000000000990000-0x0000000000A6C000-memory.dmp

Filesize
880KB

Download
memory/1676-152-0x0000000005710000-0x0000000005766000-memory.dmp

Filesize
344KB

Download
memory/1676-151-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/1676-150-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/1676-149-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/1676-148-0x0000000005430000-0x00000000054CC000-memory.dmp

Filesize
624KB

Download
memory/1676-144-0x0000000000000000-mapping.dmp

Download
memory/2564-132-0x0000000000000000-mapping.dmp

Download
memory/2640-139-0x0000000000000000-mapping.dmp

Download
memory/3356-135-0x0000000000000000-mapping.dmp

Download
memory/3588-136-0x0000000000000000-mapping.dmp

Download
memory/4352-140-0x0000000000000000-mapping.dmp

Download
memory/4700-137-0x0000000000000000-mapping.dmp

Download
memory/4704-138-0x0000000000000000-mapping.dmp

Download
memory/4712-141-0x0000000000000000-mapping.dmp

Download
memory/4764-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing