8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

General

Target

14221affd51c45f23b2390e6708bda89.exe
Size

1.3MB
MD5

14221affd51c45f23b2390e6708bda89
SHA1

145c1c56b374c283194e332572d2722c15cb23f9
SHA256

8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466
SHA512

da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc
SSDEEP

24576:JdcgTewpeuCLZQ5wrS7j5G1bDD6egAmkIC:JdcgT1pehZQYYKTX5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

4276 OWT.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OWT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation OWT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1148 4276 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4492 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4924 timeout.exe

pid	process
4276	OWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	OWT.exe

pid	pid_target	process	target process
1148	4276	WerFault.exe	OWT.exe

pid	process
4492	schtasks.exe

pid	process
4924	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.exepowershell.exeOWT.exepowershell.exe

pid	process
2152	14221affd51c45f23b2390e6708bda89.exe
2152	14221affd51c45f23b2390e6708bda89.exe
1836	powershell.exe
1836	powershell.exe
4276	OWT.exe
4276	OWT.exe
3192	powershell.exe
3192	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2152	14221affd51c45f23b2390e6708bda89.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	4276	OWT.exe
Token: SeDebugPrivilege	3192	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 2152 wrote to memory of 1836	2152	14221affd51c45f23b2390e6708bda89.exe	powershell.exe
PID 2152 wrote to memory of 1836	2152	14221affd51c45f23b2390e6708bda89.exe	powershell.exe
PID 2152 wrote to memory of 2620	2152	14221affd51c45f23b2390e6708bda89.exe	cmd.exe
PID 2152 wrote to memory of 2620	2152	14221affd51c45f23b2390e6708bda89.exe	cmd.exe
PID 2620 wrote to memory of 4924	2620	cmd.exe	timeout.exe
PID 2620 wrote to memory of 4924	2620	cmd.exe	timeout.exe
PID 2620 wrote to memory of 4276	2620	cmd.exe	OWT.exe
PID 2620 wrote to memory of 4276	2620	cmd.exe	OWT.exe
PID 4276 wrote to memory of 3192	4276	OWT.exe	powershell.exe
PID 4276 wrote to memory of 3192	4276	OWT.exe	powershell.exe
PID 4276 wrote to memory of 1184	4276	OWT.exe	cmd.exe
PID 4276 wrote to memory of 1184	4276	OWT.exe	cmd.exe
PID 1184 wrote to memory of 4492	1184	cmd.exe	schtasks.exe
PID 1184 wrote to memory of 4492	1184	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\14221affd51c45f23b2390e6708bda89.exe
"C:\Users\Admin\AppData\Local\Temp\14221affd51c45f23b2390e6708bda89.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DFA.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4924

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4276 -s 1780
4⤵
- Program crash
PID:1148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4276 -ip 4276
1⤵
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DFA.tmp.bat
Filesize
138B

MD5
12c46476e9e3ec4ade60c12a39918ffe

SHA1
be536f07137aea4fb5f6e1ebfedb45fb8c28dcf4

SHA256
809bf0db51b627ae8c22a813dbd5b04ce0ff34d0cf70f758c39c40c93d22d70f

SHA512
46d62a49b1cc4ca51cabec3e4b26b9f0be4ff2355de33f04ee8eb5c895a63c5be861d1e2623a15490967d3d100e3dcb07a258dbc4adb3b98ee7502bffb3b6375

Download Submit
memory/1184-175-0x0000000000000000-mapping.dmp

Download
memory/1836-146-0x0000000000000000-mapping.dmp

Download
memory/1836-176-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/1836-173-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/1836-154-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/1836-152-0x0000028394740000-0x0000028394762000-memory.dmp

Filesize
136KB

Download
memory/2152-145-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/2152-153-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/2152-144-0x00007FF8350F0000-0x00007FF83523E000-memory.dmp

Filesize
1.3MB

Download
memory/2152-139-0x0000000000A90000-0x0000000000C4C000-memory.dmp

Filesize
1.7MB

Download
memory/2152-148-0x0000000000A90000-0x0000000000C4C000-memory.dmp

Filesize
1.7MB

Download
memory/2152-149-0x0000000000CA0000-0x0000000000CE1000-memory.dmp

Filesize
260KB

Download
memory/2152-143-0x0000000000A90000-0x0000000000C4C000-memory.dmp

Filesize
1.7MB

Download
memory/2152-142-0x0000000000A90000-0x0000000000C4C000-memory.dmp

Filesize
1.7MB

Download
memory/2152-137-0x00007FF84FCC0000-0x00007FF84FE61000-memory.dmp

Filesize
1.6MB

Download
memory/2152-136-0x00007FF835240000-0x00007FF8352FD000-memory.dmp

Filesize
756KB

Download
memory/2152-141-0x00007FF851C00000-0x00007FF851C2B000-memory.dmp

Filesize
172KB

Download
memory/2152-133-0x00007FF835390000-0x00007FF83543A000-memory.dmp

Filesize
680KB

Download
memory/2152-138-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/2152-140-0x0000000000CA0000-0x0000000000CE1000-memory.dmp

Filesize
260KB

Download
memory/2152-134-0x00007FF850210000-0x00007FF8502AE000-memory.dmp

Filesize
632KB

Download
memory/2152-135-0x00007FF84D2B0000-0x00007FF84D2C2000-memory.dmp

Filesize
72KB

Download
memory/2620-147-0x0000000000000000-mapping.dmp

Download
memory/3192-171-0x0000000000000000-mapping.dmp

Download
memory/3192-174-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/3192-178-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-155-0x0000000000000000-mapping.dmp

Download
memory/4276-160-0x00007FF835390000-0x00007FF83543A000-memory.dmp

Filesize
680KB

Download
memory/4276-167-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/4276-168-0x00007FF8350F0000-0x00007FF83523E000-memory.dmp

Filesize
1.3MB

Download
memory/4276-169-0x0000000003510000-0x0000000003551000-memory.dmp

Filesize
260KB

Download
memory/4276-170-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-165-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-164-0x00007FF84FCC0000-0x00007FF84FE61000-memory.dmp

Filesize
1.6MB

Download
memory/4276-163-0x00007FF835240000-0x00007FF8352FD000-memory.dmp

Filesize
756KB

Download
memory/4276-161-0x00007FF850210000-0x00007FF8502AE000-memory.dmp

Filesize
632KB

Download
memory/4276-162-0x00007FF84D2B0000-0x00007FF84D2C2000-memory.dmp

Filesize
72KB

Download
memory/4276-166-0x00007FF851C00000-0x00007FF851C2B000-memory.dmp

Filesize
172KB

Download
memory/4276-158-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/4276-188-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-187-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/4276-180-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/4276-181-0x00007FF834D20000-0x00007FF834E8A000-memory.dmp

Filesize
1.4MB

Download
memory/4276-182-0x00007FF84FBE0000-0x00007FF84FC07000-memory.dmp

Filesize
156KB

Download
memory/4276-183-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-184-0x00007FF82FDE0000-0x00007FF82FE15000-memory.dmp

Filesize
212KB

Download
memory/4276-185-0x00007FF82FE20000-0x00007FF82FF22000-memory.dmp

Filesize
1.0MB

Download
memory/4276-186-0x00007FF850610000-0x00007FF85067B000-memory.dmp

Filesize
428KB

Download
memory/4492-179-0x0000000000000000-mapping.dmp

Download
memory/4924-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads