0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634

General

Target

0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Size

343KB
MD5

d13f8cb8e80592f9104c550c342321c8
SHA1

b4201bbb276ec99b60f6e025029132160651e089
SHA256

0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634
SHA512

366682dec6cf3da52bcb5435b7308ff3781679806994171470e2157d7edb93655818235373547ffa65f04a59499b633a7925f8e5b7c59e9fb0321c68c67cd548
SSDEEP

6144:EEDZkqQUrXAs4NCbomYfmwcyDFKbm8now9cdemJ56c0X4i:EEtk5UrXAsKmw7Kbm8WrJnAp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3796	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Token: 33	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
Token: SeIncBasePriorityPrivilege	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2404	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	87
PID 2976 wrote to memory of 2404	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	87
PID 2976 wrote to memory of 2404	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	87
PID 2976 wrote to memory of 3056	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	90
PID 2976 wrote to memory of 3056	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	90
PID 2976 wrote to memory of 3056	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	90
PID 2404 wrote to memory of 2396	2404	cmd.exe	91
PID 2404 wrote to memory of 2396	2404	cmd.exe	91
PID 2404 wrote to memory of 2396	2404	cmd.exe	91
PID 2396 wrote to memory of 3176	2396	wscript.exe	93
PID 2396 wrote to memory of 3176	2396	wscript.exe	93
PID 2396 wrote to memory of 3176	2396	wscript.exe	93
PID 2976 wrote to memory of 4760	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	97
PID 2976 wrote to memory of 4760	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	97
PID 2976 wrote to memory of 4760	2976	0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe	97
PID 4760 wrote to memory of 3796	4760	cmd.exe	99
PID 4760 wrote to memory of 3796	4760	cmd.exe	99
PID 4760 wrote to memory of 3796	4760	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe
"C:\Users\Admin\AppData\Local\Temp\0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      PID:3176
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6540
    3⤵
    - Delays execution with timeout.exe
    PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\file.exe

Filesize
343KB

MD5
d13f8cb8e80592f9104c550c342321c8

SHA1
b4201bbb276ec99b60f6e025029132160651e089

SHA256
0dcaf38551371f7b698ab4606b34e41f9a5b82f245838e7f9e53423fc85ab634

SHA512
366682dec6cf3da52bcb5435b7308ff3781679806994171470e2157d7edb93655818235373547ffa65f04a59499b633a7925f8e5b7c59e9fb0321c68c67cd548

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
270B

MD5
aed4ec7f14d1d34ef757e47fae5d0e0a

SHA1
8c3c9051cc5b8e85e6344f0177dc14ab9954605e

SHA256
ca7685a434f689c23d1d6bcc6eb6ae89d05a3b47e29d6a87ddbaf5d7714967b7

SHA512
f6b34a5266fa6e1e4500909830d4219fa18a17a1ecea142919e0ca109fb64e14a76c7b11eaf90b799ec22695209c176da4d589111f16ec374ba654c924547859

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.bat

Filesize
207B

MD5
dcbd65f06382095d68dc4891594ee26a

SHA1
af96a24f299862f96699525d524049ac383fb020

SHA256
a6d44f5466500ceb352789249d1d48748b8dc1897c102270e22ca54cfe9d1a99

SHA512
38bf7ffe032c7152c54796e26c2a02ccbbae935d20d8c1b712213f736f09fd18d2079d187bdae60cb1c4c9d049a2eec70a16150414e75758835c918e76066b28

Download Submit
memory/2976-133-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2976-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing