f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136

General

Target

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
Size

568KB
MD5

0eaee80c6c081e6bd04d5126467f007c
SHA1

cffb2257aab9868c7b2d71462d4cdc3ae1e55a97
SHA256

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136
SHA512

6333efcceb377cdf557d3b4f9c5a8ec5430052f95a633786dde941f525b04750f61f511bf7c3f64ca88526b87ef68d9447e9eb9783b9956b5fe13b0f87b10bd5
SSDEEP

12288:xiQobmPYDqHinL62tFl1GwH5Gf2RwugAbYqBgROjqNOTOXZ1CHL8ifYw2td7kK:xbVYOinLnN1HGf2Jb3gRhjMxYwIIK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

3EAB.tmp

pid process

4404 3EAB.tmp

pid	process
4404	3EAB.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

pid	process
2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

980 Explorer.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

2328 cmd.exe

pid	process
980	Explorer.EXE

pid	process
2328	cmd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

3EAB.tmpExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4404	3EAB.tmp
Token: SeShutdownPrivilege	980	Explorer.EXE
Token: SeCreatePagefilePrivilege	980	Explorer.EXE
Token: SeShutdownPrivilege	980	Explorer.EXE
Token: SeCreatePagefilePrivilege	980	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.execmd.exe3EAB.tmp

description	pid	process	target process
PID 2044 wrote to memory of 2328	2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 2044 wrote to memory of 2328	2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 2044 wrote to memory of 2328	2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	cmd.exe
PID 2328 wrote to memory of 4360	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 4360	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 4360	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 4464	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 4464	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 4464	2328	cmd.exe	reg.exe
PID 2044 wrote to memory of 4404	2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	3EAB.tmp
PID 2044 wrote to memory of 4404	2044	f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe	3EAB.tmp
PID 4404 wrote to memory of 980	4404	3EAB.tmp	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe
"C:\Users\Admin\AppData\Local\Temp\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
3⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f
4⤵
- Adds Run key to start application
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f /v RunUpdate /d "\"C:\Users\Admin\AppData\Roaming\Microsoft\f7f47bc3421b0a7d260d24c4742e7d6a2d8a2e79898997db88a5aac4f5ced136.exe\" /s /n /i:U shell32.dll"
4⤵
- Adds Run key to start application
PID:4464

C:\Users\Admin\AppData\Local\Temp\3EAB.tmp
"C:\Users\Admin\AppData\Local\Temp\3EAB.tmp" 980 "C:\Users\Admin\AppData\Roaming\Microsoft\nnutil32.dll"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3EAB.tmp
Filesize
40KB

MD5
bd8006863eec2250b2727c714f0edfa7

SHA1
f689dcf31b552da3007a76908a37077396cdcac2

SHA256
bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668

SHA512
e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EAB.tmp
Filesize
40KB

MD5
bd8006863eec2250b2727c714f0edfa7

SHA1
f689dcf31b552da3007a76908a37077396cdcac2

SHA256
bd2a1a54c68469ce7026b8f07c7edfbd9799fffdc00cf0e59e60a959eb136668

SHA512
e2957c883a4f528e2edfbb56b8d74b35faafcd48af355c2dafd8ffddaaa25617f8ed4d6b231fd80950fdf8bc47e58b18158cf4575e17db8003819458fea1a21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat
Filesize
710B

MD5
3f377ebb87b762d0695633a650fb5372

SHA1
2f17d72d5bc864674fecd4d9432090c5b8661df5

SHA256
2ab976fb689e6ea1a7f44134894d5c8c7148cf81a32bb470939f1a7391c88f92

SHA512
f30f2257faf65f61b419d6cd97bc603301db973b002c4fdf07920576418d91a456cf2071f5cdfcf9b60ece7dea95285c3af9d04855a142a66193c3e853e5c065

Download Submit
memory/980-139-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/980-140-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/980-141-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/980-142-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2328-132-0x0000000000000000-mapping.dmp

Download
memory/4360-134-0x0000000000000000-mapping.dmp

Download
memory/4404-136-0x0000000000000000-mapping.dmp

Download
memory/4464-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads