b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6

General

Target

b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe
Size

325KB
MD5

2b39c25ce509adf5fc5571d76782a8e5
SHA1

abbf729b3a45a4ce0abe9e00b9de76c958a3d8d5
SHA256

b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6
SHA512

eb95526e51c4cfac2037f72c972d2ca10169e169c6c144624b80edbf9d8cd5e05adbeaf52d919029e50643a0c4aaa70e3b933ace1f8645e755ee6ff131c1d775
SSDEEP

6144:nsaY8p9zmw51GCvUzbCq5qoTAiVLomC9W9rV2cwQROOvWxfP3mh71RlMHjGMFXh:nsaY8rmw5H8r5qoxJomC9w4cwYjWNehk

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

KillMonitor²¡¶¾×¨É±¹¤¾ß.exeKillMonitor.exe

pid process

1152 KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
3184 KillMonitor.exe

pid	process
1152	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
3184	KillMonitor.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1140-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe	upx
C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe	upx
behavioral2/memory/3184-139-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1140-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KillMonitor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KillMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\WINDOWS\\SYSTEM\\Monitor.exe"	KillMonitor.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

KillMonitor.exe

description	ioc	process
File opened for modification	\??\G:\AutoRun.inf	KillMonitor.exe
File opened for modification	C:\AutoRun.inf	KillMonitor.exe
File opened for modification	D:\AutoRun.inf	KillMonitor.exe
File opened for modification	\??\E:\AutoRun.inf	KillMonitor.exe
File opened for modification	\??\F:\AutoRun.inf	KillMonitor.exe

Drops file in Windows directory 2 IoCs

Processes:

KillMonitor.exe

description	ioc	process
File created	C:\Windows\System\Monitor.exe	KillMonitor.exe
File opened for modification	C:\Windows\System\Monitor.exe	KillMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

KillMonitor²¡¶¾×¨É±¹¤¾ß.exeKillMonitor.exe

pid process

1152 KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
1152 KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
3184 KillMonitor.exe

pid	process
1152	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
1152	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
3184	KillMonitor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe

description	pid	process	target process
PID 1140 wrote to memory of 1152	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
PID 1140 wrote to memory of 1152	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
PID 1140 wrote to memory of 1152	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
PID 1140 wrote to memory of 3184	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor.exe
PID 1140 wrote to memory of 3184	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor.exe
PID 1140 wrote to memory of 3184	1140	b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe	KillMonitor.exe

C:\Users\Admin\AppData\Local\Temp\b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe
"C:\Users\Admin\AppData\Local\Temp\b0c67c7c52969c70998d3f0aba6eb2a53460614a6d32106b17edc9769a8cafb6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor²¡¶¾×¨É±¹¤¾ß.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe
Filesize
12KB

MD5
71e9f84f024c2b67b375588503b3d505

SHA1
a435f5dd01adf88137bad43b18d0f3486411c683

SHA256
3ec8a192a8e52b80ecff57b022330a0d5b11e727c0dccb1aa96649205e1893fa

SHA512
a9378f7791558132ba8eec2ec929b387ff2cd748117ee2f030948c418602c743bea017348a366e663240281050b226d6807c65f3ca5cb5a740e4dfa7fa6f1189

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor.exe
Filesize
12KB

MD5
71e9f84f024c2b67b375588503b3d505

SHA1
a435f5dd01adf88137bad43b18d0f3486411c683

SHA256
3ec8a192a8e52b80ecff57b022330a0d5b11e727c0dccb1aa96649205e1893fa

SHA512
a9378f7791558132ba8eec2ec929b387ff2cd748117ee2f030948c418602c743bea017348a366e663240281050b226d6807c65f3ca5cb5a740e4dfa7fa6f1189

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
Filesize
560KB

MD5
a0538dbc96654e74fa65f3fa084b8d40

SHA1
06b7a162ba68898e8c1c32530fa4d91395a3abed

SHA256
2cef7f6e2faca50583f6cd7b5a236078ca5fdcf52e230f89d3272b4de8420ac1

SHA512
e297cad9d17b4735bc76a39977460b33a7a41eeee6b1224a0face41e1476c96d0bbdb5537b3cdd982c4c1341df8082ca2742eeeb7df10ce84a4802e6a21046e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\KillMonitor²¡¶¾×¨É±¹¤¾ß.exe
Filesize
560KB

MD5
a0538dbc96654e74fa65f3fa084b8d40

SHA1
06b7a162ba68898e8c1c32530fa4d91395a3abed

SHA256
2cef7f6e2faca50583f6cd7b5a236078ca5fdcf52e230f89d3272b4de8420ac1

SHA512
e297cad9d17b4735bc76a39977460b33a7a41eeee6b1224a0face41e1476c96d0bbdb5537b3cdd982c4c1341df8082ca2742eeeb7df10ce84a4802e6a21046e0

Download Submit
memory/1140-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1140-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-133-0x0000000000000000-mapping.dmp

Download
memory/3184-136-0x0000000000000000-mapping.dmp

Download
memory/3184-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads