6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191

General

Target

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe
Size

22KB
MD5

ce17d920e84a8704c311f814ba980421
SHA1

755c5beb7a15dd3a6d5eb6a5cf6f1326e3dcafa9
SHA256

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191
SHA512

daee1137e0c510d848f9fb7ef0b81ad3bfc6399ee4d95ee33584409b2c6f3ac383b86258d36dde7e801c6af9cce6862050c5c6086e0125be3398d21bce7c722e
SSDEEP

384:rIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZSuniaNJawcuQ:rRGuY2P0Vo6r7SiAwyrMRjbgKnbcuyDw

Score

8^/10

evasion upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File created	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2956 attrib.exe
3780 attrib.exe
3528 attrib.exe
2940 attrib.exe

pid	process
2956	attrib.exe
3780	attrib.exe
3528	attrib.exe
2940	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1772-132-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/1772-143-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.execmd.exe

description	pid	process	target process
PID 1772 wrote to memory of 1108	1772	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1772 wrote to memory of 1108	1772	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1772 wrote to memory of 1108	1772	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1108 wrote to memory of 2320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1512	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1512	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1512	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 1320	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 4700	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 4700	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 4700	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3780	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3780	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3780	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3528	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3528	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 3528	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2940	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2940	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2940	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2956	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2956	1108	cmd.exe	attrib.exe
PID 1108 wrote to memory of 2956	1108	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1320 attrib.exe
4700 attrib.exe
3780 attrib.exe
3528 attrib.exe
2940 attrib.exe
2956 attrib.exe
2320 attrib.exe
1512 attrib.exe

pid	process
1320	attrib.exe
4700	attrib.exe
3780	attrib.exe
3528	attrib.exe
2940	attrib.exe
2956	attrib.exe
2320	attrib.exe
1512	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe
"C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3A74.tmp\encrypt.bat" "
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
3⤵
- Views/modifies file attributes
PID:2320

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
3⤵
- Views/modifies file attributes
PID:1512

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
3⤵
- Views/modifies file attributes
PID:1320

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
3⤵
- Views/modifies file attributes
PID:4700

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3780

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3528

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2940

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3A74.tmp\encrypt.bat

Filesize
13KB

MD5
d57e330a794766ec0ff5c9d766f59519

SHA1
fa535aae290ad5b44f9a91eb001ad5e164d1f01c

SHA256
eed45a63e3b37916d9cf90fafe088022c14c701e844701e81688f4f0e8c19ace

SHA512
718e6eefa237edceb049aba6d3f598d0e326988edce8bddd09e3e5e36f22250676517d204b6a80e6bd91cd71ccfc830f60f4221ed3fc8c934b7ae9471431842f

Download Submit
memory/1108-133-0x0000000000000000-mapping.dmp

Download
memory/1320-137-0x0000000000000000-mapping.dmp

Download
memory/1512-136-0x0000000000000000-mapping.dmp

Download
memory/1772-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1772-143-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2320-135-0x0000000000000000-mapping.dmp

Download
memory/2940-141-0x0000000000000000-mapping.dmp

Download
memory/2956-142-0x0000000000000000-mapping.dmp

Download
memory/3528-140-0x0000000000000000-mapping.dmp

Download
memory/3780-139-0x0000000000000000-mapping.dmp

Download
memory/4700-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads