362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e

General

Target

362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe
Size

1.6MB
MD5

e7c9164ded4de1d5b33800bf17ab2ff0
SHA1

1a7c1734d6d2fcae7ef8de850fde8f7b0453d54d
SHA256

362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e
SHA512

303aeb98f88388c56cdc1f907d99438fd1f8fe65903f8143d150c00fddd8cbccd30fb452405df2c23b8d93d164c578519fc90a9f9c25d3f2735b4cd20467c945
SSDEEP

12288:FS5O2oHOQsPmB73yWuPYHXDJB/g8buYR1wpoaanFC2oe6weFC9VfDPgnXPh8WiBJ:FS5O2oJB73yG/giR0oVye4ep6XOjmzh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe"	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2944	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe
820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe
820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2188	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	81
PID 820 wrote to memory of 2188	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	81
PID 820 wrote to memory of 2188	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	81
PID 820 wrote to memory of 3416	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	84
PID 820 wrote to memory of 3416	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	84
PID 820 wrote to memory of 3416	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	84
PID 2188 wrote to memory of 3332	2188	cmd.exe	85
PID 2188 wrote to memory of 3332	2188	cmd.exe	85
PID 2188 wrote to memory of 3332	2188	cmd.exe	85
PID 3332 wrote to memory of 1868	3332	wscript.exe	87
PID 3332 wrote to memory of 1868	3332	wscript.exe	87
PID 3332 wrote to memory of 1868	3332	wscript.exe	87
PID 820 wrote to memory of 1328	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	89
PID 820 wrote to memory of 1328	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	89
PID 820 wrote to memory of 1328	820	362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe	89
PID 1328 wrote to memory of 2944	1328	cmd.exe	91
PID 1328 wrote to memory of 2944	1328	cmd.exe	91
PID 1328 wrote to memory of 2944	1328	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe
"C:\Users\Admin\AppData\Local\Temp\362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      PID:1868
- C:\Users\Admin\AppData\Roaming\System interrupts .exe
  "C:\Users\Admin\AppData\Roaming\System interrupts .exe"
  2⤵
  PID:3416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\stres.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\file.exe

Filesize
1.6MB

MD5
e7c9164ded4de1d5b33800bf17ab2ff0

SHA1
1a7c1734d6d2fcae7ef8de850fde8f7b0453d54d

SHA256
362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e

SHA512
303aeb98f88388c56cdc1f907d99438fd1f8fe65903f8143d150c00fddd8cbccd30fb452405df2c23b8d93d164c578519fc90a9f9c25d3f2735b4cd20467c945

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
75B

MD5
b33985e3fc0ff1814a70626c744d2fd9

SHA1
269ff1b7ff5510822cd5207ca8593e48672d7431

SHA256
b4a06f7d7c2b2887801515c8f0cdc7a4cf8245af5afa38314f72952bd18fb357

SHA512
689de361836ff6053e2f0c88942e0b7ac62a3cbc8e8ef923d49c6e84e4c28e65c11588b6d88b69abad86e06d5eb22586d22cafe1abff1ceb6e0fc0d930a97769

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
77B

MD5
a557a61b017faddffbf634b01b09afa2

SHA1
324addd96cc2878fe77c1de25fa59b90afa81172

SHA256
9d605915f3bfafc681b550536c203f51698b695dcf1b44f991f517cfa2bc85aa

SHA512
0666502bac0b965c4bc0fa6f7e360c9ca44df50a5fb85a0754d8db534a7db85297ae1654207b9fe16b8525603fefa8ddb96a792da30f0846af38266fbb2a9178

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\rundll11-.txt

Filesize
1.6MB

MD5
e7c9164ded4de1d5b33800bf17ab2ff0

SHA1
1a7c1734d6d2fcae7ef8de850fde8f7b0453d54d

SHA256
362284018784f52d4a7a3eaff987ce09198df75d5e515c1aed9663ac5042d12e

SHA512
303aeb98f88388c56cdc1f907d99438fd1f8fe65903f8143d150c00fddd8cbccd30fb452405df2c23b8d93d164c578519fc90a9f9c25d3f2735b4cd20467c945

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\stres.bat

Filesize
228B

MD5
e832589ab098b4e9894b27f3f37d97fb

SHA1
d379434086919ff1a1f369feaffe56c45ab0b6c6

SHA256
718e1e8c2c7c0d0ff617b11fef703affe7818e82d6aad2d84982d1200742a62a

SHA512
1d0b0dc46d361b0f2c221bbd5092cd42d5a504f88c4e982ff93663a84b2f149f7b56fce9cceef26c9fea6d5e9b658f6cee016185a1f6c7a7419bd7f4391940e5

Download Submit
memory/820-132-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/820-134-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download
memory/820-144-0x0000000074A00000-0x0000000074FB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing