62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a

General

Target

62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Size

433KB
MD5

d509d0fbb447397b3db53d4a0d96adf7
SHA1

d445e5a05ac39fc7bcac88cfa35c6db90667a117
SHA256

62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a
SHA512

7780734008f62c682b2b12d70f273de81ae261dce7bcb68c8d11c3d837bfa99e3cfa88bfd509eb3f40e52b2739b227fcc01b38a9bea2b637216e1d5f8511f4da
SSDEEP

6144:qxNoh9F9Bsw164o+o4N40xwUMaccon8lhKxnpmCLQptOWolIhRmpXtEO/0q+dnpM:qxU96w164oUvGdA4xndQ2KXYYn8z0y

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\txjdhcmlx.exe	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\txjdhcmlx.exe\DisableExceptionChainValidation	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Loads dropped DLL 4 IoCs

pid	Process
2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\ProgramData\microsoft\desktop.ini	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
688	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1564	timeout.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{83453B33-B5E2-304C-B2B7-1C1B959B1E89}\6148082F\CG1	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{83453B33-B5E2-304C-B2B7-1C1B959B1E89}	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{83453B33-B5E2-304C-B2B7-1C1B959B1E89}\6148082F	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{83453B33-B5E2-304C-B2B7-1C1B959B1E89}\6148082F\CG1\HAL = 05ee0000	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{83453B33-B5E2-304C-B2B7-1C1B959B1E89}\6148082F\CG1\BID = 200008001a000b00e6070000140000001a000b0003001f000000000083f28163	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Token: SeRestorePrivilege	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Token: SeBackupPrivilege	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
Token: SeDebugPrivilege	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 976	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	82
PID 2804 wrote to memory of 1464	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	83
PID 2804 wrote to memory of 1464	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	83
PID 2804 wrote to memory of 1464	2804	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	83
PID 1464 wrote to memory of 1564	1464	CMD.EXE	85
PID 1464 wrote to memory of 1564	1464	CMD.EXE	85
PID 1464 wrote to memory of 1564	1464	CMD.EXE	85
PID 976 wrote to memory of 688	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	86
PID 976 wrote to memory of 688	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	86
PID 976 wrote to memory of 688	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	86
PID 976 wrote to memory of 4664	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	88
PID 976 wrote to memory of 4664	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	88
PID 976 wrote to memory of 4664	976	62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe	88

C:\Users\Admin\AppData\Local\Temp\62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
"C:\Users\Admin\AppData\Local\Temp\62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
  C:\Users\Admin\AppData\Local\Temp\62ba3eb1141a49dc5f19536f6caa081d26b1018b61a72363e67f6fd166795d7a.exe
  2⤵
  - Sets file execution options in registry
  - Checks computer location settings
  - Checks for any installed AV software in registry
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x6148082F" /TR "C:\ProgramData\microsoft\txjdhcmlx.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    "C:\Windows\SysWOW64\WerFault.exe"
    3⤵
    PID:4664
- C:\Windows\SysWOW64\CMD.EXE
  "CMD.EXE" /C timeout 3 & del C:\ProgramData\C42e9at7n5m1bhS.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Security Software Discovery

1

T1063

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\C42e9at7n5m1bhS.dll

Filesize
25KB

MD5
38b41c1ce13a8bad90952a4a3250be40

SHA1
ffafc409630fa29280bbd60447d7cd1b23b4999d

SHA256
0cddea5438f90e10d1a6df51e2f3d638adbb727317a27428477cd179b3925557

SHA512
0301518235b2ff1b09e6745e18b995aad2f1eb746471ae98af6fc26f497e74daa86983dc94f0e5a0ae20a5a710bcf8496b9ad35b1378e9ea2c3a24c771f8b89c

Download Submit
C:\ProgramData\C42e9at7n5m1bhS.dll

Filesize
25KB

MD5
38b41c1ce13a8bad90952a4a3250be40

SHA1
ffafc409630fa29280bbd60447d7cd1b23b4999d

SHA256
0cddea5438f90e10d1a6df51e2f3d638adbb727317a27428477cd179b3925557

SHA512
0301518235b2ff1b09e6745e18b995aad2f1eb746471ae98af6fc26f497e74daa86983dc94f0e5a0ae20a5a710bcf8496b9ad35b1378e9ea2c3a24c771f8b89c

Download Submit
C:\ProgramData\C42e9at7n5m1bhS.dll

Filesize
25KB

MD5
38b41c1ce13a8bad90952a4a3250be40

SHA1
ffafc409630fa29280bbd60447d7cd1b23b4999d

SHA256
0cddea5438f90e10d1a6df51e2f3d638adbb727317a27428477cd179b3925557

SHA512
0301518235b2ff1b09e6745e18b995aad2f1eb746471ae98af6fc26f497e74daa86983dc94f0e5a0ae20a5a710bcf8496b9ad35b1378e9ea2c3a24c771f8b89c

Download Submit
C:\ProgramData\C42e9at7n5m1bhS.dll

Filesize
25KB

MD5
38b41c1ce13a8bad90952a4a3250be40

SHA1
ffafc409630fa29280bbd60447d7cd1b23b4999d

SHA256
0cddea5438f90e10d1a6df51e2f3d638adbb727317a27428477cd179b3925557

SHA512
0301518235b2ff1b09e6745e18b995aad2f1eb746471ae98af6fc26f497e74daa86983dc94f0e5a0ae20a5a710bcf8496b9ad35b1378e9ea2c3a24c771f8b89c

Download Submit
C:\ProgramData\C42e9at7n5m1bhS.dll

Filesize
25KB

MD5
38b41c1ce13a8bad90952a4a3250be40

SHA1
ffafc409630fa29280bbd60447d7cd1b23b4999d

SHA256
0cddea5438f90e10d1a6df51e2f3d638adbb727317a27428477cd179b3925557

SHA512
0301518235b2ff1b09e6745e18b995aad2f1eb746471ae98af6fc26f497e74daa86983dc94f0e5a0ae20a5a710bcf8496b9ad35b1378e9ea2c3a24c771f8b89c

Download Submit
memory/976-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/976-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/976-148-0x00000000010F0000-0x000000000113B000-memory.dmp

Filesize
300KB

Download
memory/976-145-0x00000000010F0000-0x000000000113B000-memory.dmp

Filesize
300KB

Download
memory/976-146-0x0000000003010000-0x000000000301B000-memory.dmp

Filesize
44KB

Download
memory/976-147-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-143-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2804-139-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4664-152-0x0000000000FA0000-0x000000000101B000-memory.dmp

Filesize
492KB

Download
memory/4664-153-0x0000000000C20000-0x0000000000CDB000-memory.dmp

Filesize
748KB

Download
memory/4664-154-0x0000000000C20000-0x0000000000CDB000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads