2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627

General

Target

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
Size

902KB
MD5

7201682614e96eeed10b75af102ca4aa
SHA1

52781036d635f0a0e977f1737242725cf0964fa1
SHA256

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627
SHA512

d6657af20254844e9d8a0dea129cf45a1f7813bd637900eccfdb0ad20ce92dc5d673586563620658c858c85c2b96df8023c0a2b5212e6c1a3a3c814096a6093f
SSDEEP

24576:ahwqArbintq30p9TQxpTWYINxtAX3l+ah9:pdnintyOkvUx+l+ah

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

C++.exesvchost.exe

pid process

1128 C++.exe
4544 svchost.exe

pid	process
1128	C++.exe
4544	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe

description	pid	process	target process
PID 2340 set thread context of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2776 4544 WerFault.exe svchost.exe
3392 1128 WerFault.exe C++.exe

pid	pid_target	process	target process
2776	4544	WerFault.exe	svchost.exe
3392	1128	WerFault.exe	C++.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe

description	pid	process	target process
PID 2340 wrote to memory of 1128	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 2340 wrote to memory of 1128	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 2340 wrote to memory of 1128	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	C++.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe
PID 2340 wrote to memory of 4544	2340	2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe
"C:\Users\Admin\AppData\Local\Temp\2feebaaea78e2ac006cd21f83b49693c134ef85ec60c95ec9430fc54992ae627.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\C++.exe
"C:\Users\Admin\AppData\Local\Temp\C++.exe"
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 272
3⤵
- Program crash
PID:3392

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 12
3⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4544 -ip 4544
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1128 -ip 1128
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C++.exe
Filesize
357KB

MD5
39894012ee699ef11d3e72d9b3ef7eed

SHA1
68410a68e795e1fe1213e727ebdd2f528d9a40c0

SHA256
88a6e338a8a774df81819439c3d319baa85db99b31880dc54f4636f56cd3d218

SHA512
6619d0e1afdb60aa4348b9f650ad9d2b33ba1218faeabceef75b2da25221bf300a47744e8d952c961987071c4050f90c18f9da27f1af338509a9e834eeb6779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1128-165-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-185-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-137-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-139-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-141-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-143-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-337-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-146-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-149-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-133-0x0000000000000000-mapping.dmp

Download
memory/1128-169-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-152-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-154-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-171-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-157-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-161-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-163-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-201-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-336-0x00000000005DB000-0x00000000005DD000-memory.dmp

Filesize
8KB

Download
memory/1128-197-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-187-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-159-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-173-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-175-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-179-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-177-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-181-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-183-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-136-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-191-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-193-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-189-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-195-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-167-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/1128-199-0x0000000000590000-0x00000000005FC000-memory.dmp

Filesize
432KB

Download
memory/2340-156-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/2340-132-0x0000000074F10000-0x00000000754C1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-148-0x0000000001000000-0x000000000103A000-memory.dmp

Filesize
232KB

Download
memory/4544-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads