f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

General

Target

file.exe
Size

1.3MB
MD5

442068a8271d880244a03d4d290c75fa
SHA1

bc20dc9ca257c6a0573d521e702cbf0369fdd4b3
SHA256

f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf
SHA512

a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34
SSDEEP

24576:YmK6Q9qEYTewpekHZySOVhP8BCaff7XFf7aiJRw+UjxF:YmK6OqEYT1pek0VFof7ValxxF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

2956 OWT.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

OWT.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation OWT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3116 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2092 timeout.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

pid process

4604 file.exe
4604 file.exe
4552 powershell.exe
4552 powershell.exe
2956 OWT.exe
2956 OWT.exe
4488 powershell.exe
4488 powershell.exe
2956 OWT.exe

pid	process
2956	OWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	OWT.exe

pid	process
3116	schtasks.exe

pid	process
2092	timeout.exe

pid	process
4604	file.exe
4604	file.exe
4552	powershell.exe
4552	powershell.exe
2956	OWT.exe
2956	OWT.exe
4488	powershell.exe
4488	powershell.exe
2956	OWT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4604	file.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	2956	OWT.exe
Token: SeDebugPrivilege	4488	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

file.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 4604 wrote to memory of 4552	4604	file.exe	powershell.exe
PID 4604 wrote to memory of 4552	4604	file.exe	powershell.exe
PID 4604 wrote to memory of 4172	4604	file.exe	cmd.exe
PID 4604 wrote to memory of 4172	4604	file.exe	cmd.exe
PID 4172 wrote to memory of 2092	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 2092	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 2956	4172	cmd.exe	OWT.exe
PID 4172 wrote to memory of 2956	4172	cmd.exe	OWT.exe
PID 2956 wrote to memory of 4488	2956	OWT.exe	powershell.exe
PID 2956 wrote to memory of 4488	2956	OWT.exe	powershell.exe
PID 2956 wrote to memory of 4028	2956	OWT.exe	cmd.exe
PID 2956 wrote to memory of 4028	2956	OWT.exe	cmd.exe
PID 4028 wrote to memory of 3116	4028	cmd.exe	schtasks.exe
PID 4028 wrote to memory of 3116	4028	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A6.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2092

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
C:\ProgramData\winrar\OWT.exe
Filesize
1.3MB

MD5
442068a8271d880244a03d4d290c75fa

SHA1
bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

SHA256
f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

SHA512
a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A6.tmp.bat
Filesize
137B

MD5
074545e9609c818e37efe0a21ae700a1

SHA1
70a132069f1bad451a387ef6b26cf462595ff4d8

SHA256
7f1d7e44138750f62e453a86b017136da25aad57a4ec07c165d3b78fe806057e

SHA512
3700b8427165e44c54b64dc81262857cb08cff0f93317c98940769a295a572d073415411941f5de6b2d66dfdf7faa38ab056f02be108129766b8f46c195fcb3e

Download Submit
memory/2092-153-0x0000000000000000-mapping.dmp

Download
memory/2956-172-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/2956-169-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/2956-187-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/2956-186-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/2956-185-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/2956-184-0x0000000002CE0000-0x0000000002D23000-memory.dmp

Filesize
268KB

Download
memory/2956-183-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/2956-182-0x00007FFA65920000-0x00007FFA6595B000-memory.dmp

Filesize
236KB

Download
memory/2956-167-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/2956-181-0x00007FFA67D30000-0x00007FFA67D9B000-memory.dmp

Filesize
428KB

Download
memory/2956-180-0x00007FFA452A0000-0x00007FFA453A2000-memory.dmp

Filesize
1.0MB

Download
memory/2956-179-0x00007FFA5A480000-0x00007FFA5A4B5000-memory.dmp

Filesize
212KB

Download
memory/2956-178-0x00007FFA66D10000-0x00007FFA66D37000-memory.dmp

Filesize
156KB

Download
memory/2956-164-0x0000000002CE0000-0x0000000002D23000-memory.dmp

Filesize
268KB

Download
memory/2956-165-0x00007FFA5A4C0000-0x00007FFA5A57D000-memory.dmp

Filesize
756KB

Download
memory/2956-166-0x00007FFA685C0000-0x00007FFA68761000-memory.dmp

Filesize
1.6MB

Download
memory/2956-162-0x00007FFA64470000-0x00007FFA64482000-memory.dmp

Filesize
72KB

Download
memory/2956-156-0x0000000000000000-mapping.dmp

Download
memory/2956-170-0x00007FFA48320000-0x00007FFA4846E000-memory.dmp

Filesize
1.3MB

Download
memory/2956-168-0x00007FFA68350000-0x00007FFA6837B000-memory.dmp

Filesize
172KB

Download
memory/2956-160-0x00007FFA5A5A0000-0x00007FFA5A64A000-memory.dmp

Filesize
680KB

Download
memory/2956-161-0x00007FFA682B0000-0x00007FFA6834E000-memory.dmp

Filesize
632KB

Download
memory/2956-163-0x00000000006D0000-0x000000000088C000-memory.dmp

Filesize
1.7MB

Download
memory/3116-176-0x0000000000000000-mapping.dmp

Download
memory/4028-174-0x0000000000000000-mapping.dmp

Download
memory/4172-147-0x0000000000000000-mapping.dmp

Download
memory/4488-171-0x0000000000000000-mapping.dmp

Download
memory/4488-177-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4552-151-0x0000022E9F460000-0x0000022E9F482000-memory.dmp

Filesize
136KB

Download
memory/4552-154-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4552-146-0x0000000000000000-mapping.dmp

Download
memory/4552-155-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4604-140-0x00000000033F0000-0x0000000003433000-memory.dmp

Filesize
268KB

Download
memory/4604-150-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4604-135-0x00007FFA64470000-0x00007FFA64482000-memory.dmp

Filesize
72KB

Download
memory/4604-134-0x00007FFA682B0000-0x00007FFA6834E000-memory.dmp

Filesize
632KB

Download
memory/4604-139-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/4604-136-0x00007FFA499B0000-0x00007FFA49A6D000-memory.dmp

Filesize
756KB

Download
memory/4604-138-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4604-133-0x00007FFA4A580000-0x00007FFA4A62A000-memory.dmp

Filesize
680KB

Download
memory/4604-148-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/4604-149-0x00000000033F0000-0x0000000003433000-memory.dmp

Filesize
268KB

Download
memory/4604-137-0x00007FFA685C0000-0x00007FFA68761000-memory.dmp

Filesize
1.6MB

Download
memory/4604-145-0x00007FFA49A70000-0x00007FFA4A531000-memory.dmp

Filesize
10.8MB

Download
memory/4604-144-0x00007FFA48260000-0x00007FFA483AE000-memory.dmp

Filesize
1.3MB

Download
memory/4604-143-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download
memory/4604-141-0x00007FFA68350000-0x00007FFA6837B000-memory.dmp

Filesize
172KB

Download
memory/4604-142-0x0000000000D30000-0x0000000000EEC000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads