a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

General

Target

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
Size

388KB
MD5

ee48923e9421a22a7ce1af204faf3495
SHA1

91e2e2894c5a291deece18edf727bff17460b267
SHA256

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d
SHA512

f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d
SSDEEP

6144:08tK5Ggk1+vOd0RneBRQALcMqB6D5B1RDHmIEaqddK:uMgk1Yd8R2MqIDz1xHmIPQg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

System.exeSystem.exe

pid process

3528 System.exe
2472 System.exe

pid	process
3528	System.exe
2472	System.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Torrent = "\"C:\\windows\\System.exe\""	System.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	pid	process	target process
PID 1504 set thread context of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 3528 set thread context of 2472	3528	System.exe	System.exe

Drops file in Windows directory 3 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	ioc	process
File opened for modification	\??\c:\windows\System.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
File opened for modification	C:\windows\System.exe	System.exe
File created	\??\c:\windows\System.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

pid	process
1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
3528	System.exe
3528	System.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

pid process

1504 a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
3528 System.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exea509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exeSystem.exe

description	pid	process	target process
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 1504 wrote to memory of 3816	1504	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
PID 3816 wrote to memory of 3528	3816	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 3816 wrote to memory of 3528	3816	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 3816 wrote to memory of 3528	3816	a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe
PID 3528 wrote to memory of 2472	3528	System.exe	System.exe

C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
"C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe
"C:\Users\Admin\AppData\Local\Temp\a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3816

C:\windows\System.exe
"C:\windows\System.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

C:\windows\System.exe
"C:\windows\System.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System.exe
Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
C:\Windows\System.exe
Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
C:\windows\System.exe
Filesize
388KB

MD5
ee48923e9421a22a7ce1af204faf3495

SHA1
91e2e2894c5a291deece18edf727bff17460b267

SHA256
a509cc02a8ad2c8f730e9e81e21375bd2ead873435370d9a996535822af8031d

SHA512
f562d7ee04a8f5709ba2553a78123049130a89f33c650d0d5b824d0c009c8fab7e2c1297508ac50849c06b38574521c7dab76337134b41f1e046aa1c89c7dd1d

Download Submit
memory/1504-138-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1504-132-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2472-147-0x0000000000000000-mapping.dmp

Download
memory/2472-155-0x0000000002510000-0x0000000002558000-memory.dmp

Filesize
288KB

Download
memory/2472-154-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2472-153-0x0000000002510000-0x0000000002558000-memory.dmp

Filesize
288KB

Download
memory/2472-152-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3528-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3528-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3528-141-0x0000000000000000-mapping.dmp

Download
memory/3816-140-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3816-139-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3816-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3816-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads