c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9

General

Target

c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
Size

1.2MB
MD5

5369e6f7725ef035d5e5ec8e1af45d12
SHA1

3736137464105dda712d3cdbb8fbdb405c5e95b8
SHA256

c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9
SHA512

72469168b2b143e749a1bba1daf6070a4e6d7cce2fa9fff12f0a83354cf7ff2b2a718e62641fd51d30e52be862e04c29079777cf57682277af5438ee99202e02
SSDEEP

24576:F4lavt0LkLL9IMixoEgea43/C/rthNheYtEdk9lq9MmCS:ckwkn9IMHea434hnHraPCS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4072	passlist.exe
4172	Facebook Hacker.exe
1316	Sysmys.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	passlist.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\passlist.exe	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\passlist.exe	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4072	2788	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	82
PID 2788 wrote to memory of 4072	2788	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	82
PID 2788 wrote to memory of 4072	2788	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	82
PID 2788 wrote to memory of 4172	2788	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	83
PID 2788 wrote to memory of 4172	2788	c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe	83
PID 4072 wrote to memory of 1316	4072	passlist.exe	86
PID 4072 wrote to memory of 1316	4072	passlist.exe	86
PID 4072 wrote to memory of 1316	4072	passlist.exe	86

C:\Users\Admin\AppData\Local\Temp\c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe
"C:\Users\Admin\AppData\Local\Temp\c655f2335a2c36597a4f318043c09fb775c47babcfdd27b20e40eba5f54ae8e9.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\passlist.exe
  C:\Users\Admin\AppData\Local\Temp/passlist.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\Sysmys.exe
    "C:\Users\Admin\AppData\Local\Temp\Sysmys.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe
  "C:\Users\Admin\AppData\Local\Temp/Facebook Hacker.exe"
  2⤵
  - Executes dropped EXE
  PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe

Filesize
484KB

MD5
ede83e94140d4d9f5cbaeac0b8c52517

SHA1
c3e6dc3d4facbfe0f7900b94e93f0e1198fb0719

SHA256
1b535d183ad128d8edc41cf8f6404237ee88904ff3a829bc4543791d5a09a452

SHA512
ed68d102c53c557d3f897d6f08ae428983a53daa8e5523b2d1138bc341892d7187c30a1428bb51c467145f71bafa2f983c628e4dd5995a6ece6d87e81dda9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Facebook Hacker.exe

Filesize
484KB

MD5
ede83e94140d4d9f5cbaeac0b8c52517

SHA1
c3e6dc3d4facbfe0f7900b94e93f0e1198fb0719

SHA256
1b535d183ad128d8edc41cf8f6404237ee88904ff3a829bc4543791d5a09a452

SHA512
ed68d102c53c557d3f897d6f08ae428983a53daa8e5523b2d1138bc341892d7187c30a1428bb51c467145f71bafa2f983c628e4dd5995a6ece6d87e81dda9c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysmys.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
C:\Users\Admin\AppData\Local\Temp\passlist.exe

Filesize
74KB

MD5
968c5f6c828aa55e412fad62b60e43c6

SHA1
27b6c2d808817dddc228fe223d69c61a679d549e

SHA256
e77cf362649f1e22803e8fb551bac139e2b7c399fae07c4f704a8e0bd6416990

SHA512
20b1032bfc5b467d834da07df41b2a8b24efabda3d8430f9cbd341e1a947e2d1ed4ffc0eaea49da0b7db7b2e7900cf2d93aaacc5b978f71b22d644d861de0151

Download Submit
memory/1316-145-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/4072-139-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/4072-140-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/4072-144-0x0000000073FC0000-0x0000000074571000-memory.dmp

Filesize
5.7MB

Download
memory/4172-138-0x000000001BD70000-0x000000001C7A6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing