dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61

General

Target

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
Size

1.3MB
MD5

92aafe7bcf2ab2d498314abd5fb50aa6
SHA1

dc03663d65231fe80cac1d94025f2e2d577f1bd8
SHA256

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61
SHA512

295d4d0c9e8b2e36cbbadb449fb25e1889870ac8855473645ebec67b40c21d7b9f630be93f454ac5adb88620bf1aa5d0d809448da29fdd8f15c195bcda3fed7b
SSDEEP

24576:cEIcw9lUgrG+6s7rWB+OmPomKGyg5k0UvVMHLV:TakgC+zrWB+VFjruw

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

668A.tmpWUU.exe

pid process

4464 668A.tmp
764 WUU.exe

pid	process
4464	668A.tmp
764	WUU.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5040-132-0x0000000000DD0000-0x0000000000F26000-memory.dmp	vmprotect
behavioral2/memory/5040-133-0x0000000000DD0000-0x0000000000F26000-memory.dmp	vmprotect
behavioral2/memory/5040-142-0x0000000000DD0000-0x0000000000F26000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

668A.tmpdc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	668A.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

Drops file in System32 directory 2 IoCs

Processes:

668A.tmp

description ioc process

File created C:\Windows\system32\WUU.exe 668A.tmp
File opened for modification C:\Windows\system32\WUU.exe 668A.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\system32\WUU.exe	668A.tmp
File opened for modification	C:\Windows\system32\WUU.exe	668A.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

pid	process
5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe668A.tmp

description	pid	process	target process
PID 5040 wrote to memory of 4464	5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	668A.tmp
PID 5040 wrote to memory of 4464	5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	668A.tmp
PID 4464 wrote to memory of 4564	4464	668A.tmp	cmd.exe
PID 4464 wrote to memory of 4564	4464	668A.tmp	cmd.exe
PID 5040 wrote to memory of 4320	5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 5040 wrote to memory of 4320	5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe
PID 5040 wrote to memory of 4320	5040	dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe
"C:\Users\Admin\AppData\Local\Temp\dc54f2c3c2e7ad848241125c272e202ce462e63338032fb3bf4c8868fb073a61.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\668A.tmp
"C:\Users\Admin\AppData\Local\Temp\668A.tmp"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6AEF.tmp.bat" "
3⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6860.tmp.bat" "
2⤵
PID:4320

C:\Windows\system32\WUU.exe
C:\Windows\system32\WUU.exe
1⤵
- Executes dropped EXE
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\668A.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\668A.tmp
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\6860.tmp.bat
Filesize
306B

MD5
355381b62dde82f0760753fb22af6bcd

SHA1
2906ab613b29d73aa8b884782f5a45d6b038285c

SHA256
bbb837d6aa92e68bf346f936b70682395dab082f4387d0e4c96afdf4b76e1eb7

SHA512
555b7215c5043c1327a9f59b4b6c4556ca176d6007937c744a1ecab7eb5f428d8036bc5ae50b88dd75be2fff7b0244360590f71df16a3fe4fcd62ed5e478673b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AEF.tmp.bat
Filesize
186B

MD5
006116e3cc0e19b53d9ad36389abd535

SHA1
f5f6c10172361725dcee38cc0cadbad0f291e0d6

SHA256
8692c9ad25cbf4071b675dbefdb1253093206c56f587354500255f2d144f2472

SHA512
9726e8a38b46372459eeeb110915aa70c4aeaab839bc82699ebce98a320e401efe8c21dcee43bcf47d1236b3086461b5ab9a7205cf725817e109fbf7dcd0c39e

Download Submit
C:\Windows\System32\WUU.exe
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
C:\Windows\system32\WUU.exe
Filesize
309KB

MD5
16f61ad89ccddda5305b5d284f52c8df

SHA1
8422d633200bab084331077b0d231014bba9af72

SHA256
038d055816b329b399cb57048c1dd049bcab49e37ebd0069fa4533488a7da12f

SHA512
35b4dbe4985a31cd8fd7973ba0a2cd0e0c60049f0dbd61addbb2b4110e2acaa698cc62660940f2e78bb3e01f7e3acbafd06376453b4c5814127823d6061fff75

Download Submit
memory/4320-141-0x0000000000000000-mapping.dmp

Download
memory/4464-134-0x0000000000000000-mapping.dmp

Download
memory/4564-139-0x0000000000000000-mapping.dmp

Download
memory/5040-132-0x0000000000DD0000-0x0000000000F26000-memory.dmp

Filesize
1.3MB

Download
memory/5040-133-0x0000000000DD0000-0x0000000000F26000-memory.dmp

Filesize
1.3MB

Download
memory/5040-142-0x0000000000DD0000-0x0000000000F26000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads