b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f

General

Target

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe
Size

626KB
MD5

c2b63c4fc8e3e0e71fa36584b4765792
SHA1

246ad04759f060f7ccb2d10cb7f83c158f77994d
SHA256

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f
SHA512

b0a58907f1cb906868cf450122f737f2efaf9f53fd3c26bc9dafbf098dd43158e7a33ff6bf6f2a0646257c1fd6b4b90c2a200494b63cb35f9073e9279d26aad8
SSDEEP

12288:s1dlZo5yqWHB5s/OBJQdCyiHRkCAmQ3w5hncFK9wTuLnFcvKvV:s1dlZo5dYEScziHRR0w5hcrGKCvV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Tempserver.exe16599.exe16599.exe

pid process

3060 Tempserver.exe
4244 16599.exe
4864 16599.exe

pid	process
3060	Tempserver.exe
4244	16599.exe
4864	16599.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tempserver.exeb113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Tempserver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe

Loads dropped DLL 2 IoCs

Processes:

16599.exe16599.exe

pid process

4244 16599.exe
4864 16599.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4244	16599.exe
4864	16599.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exeTempserver.exe

description	pid	process	target process
PID 4384 wrote to memory of 3060	4384	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 4384 wrote to memory of 3060	4384	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 4384 wrote to memory of 3060	4384	b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe	Tempserver.exe
PID 3060 wrote to memory of 4244	3060	Tempserver.exe	16599.exe
PID 3060 wrote to memory of 4244	3060	Tempserver.exe	16599.exe
PID 3060 wrote to memory of 4244	3060	Tempserver.exe	16599.exe
PID 3060 wrote to memory of 4864	3060	Tempserver.exe	16599.exe
PID 3060 wrote to memory of 4864	3060	Tempserver.exe	16599.exe
PID 3060 wrote to memory of 4864	3060	Tempserver.exe	16599.exe

C:\Users\Admin\AppData\Local\Temp\b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe
"C:\Users\Admin\AppData\Local\Temp\b113caec0a2ecb2cd1d43a6a39a4f14267f8de1b3121b4d8ae8d6c4610b4d59f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\16599.exe
"C:\Users\Admin\AppData\Local\Temp\16599.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4244

C:\Users\Admin\AppData\Local\Temp\16599.exe
"C:\Users\Admin\AppData\Local\Temp\16599.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16599.exe
Filesize
90KB

MD5
7b3d8e69a3e9c481819b1420d2698051

SHA1
84e6836e735d02f0ebf77965ed05f6d45f9838a3

SHA256
f462ac6e78a0a3d77a0f8c77778d0dd77e51514850d7c78b4e651355ee9fc865

SHA512
a6f0e93236e791caafeca03be2dc422ee5ffae57bb7a61f6cb5e166a86e2eae52a02255aff7a1b5b3d9c4fe70166ea47b52d68c8225f670d15474b64d1ab5e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVMRuntm.dll
Filesize
648KB

MD5
df7899da64e219626e9b2ff28be28784

SHA1
95b1b9a6d5db717bfa4420d22005616295aa49bf

SHA256
3b3fe76659d9b267048da04ac454bc54dfe7bc1ce24b5ab8e06046981ecf102d

SHA512
1447aacb81429a392476cb4914779ccc3accd6af04b11972362e786c2032228a7097f538e206e99afb43cb6a2632c4e11f676bc39cdb9fec8bc1dd127a84ebd6

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
599KB

MD5
8004a7d57f1f8ffdc167a0129286a7de

SHA1
0e6966d75b0abcff24a32072defcfb261654ff17

SHA256
ea0f041f0df2a22513318c95deeb48c87e648ac351ddd834d91550e09e55afa1

SHA512
91f9528f78af7fda8b37cd6fd305bfd2f7b6a85bc1ea7c6da5a2af26f800d0da96521f41301c040ddfad7ef0fc6097236d7f6bef860d320a40c7ba69aac8fcfd

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
599KB

MD5
8004a7d57f1f8ffdc167a0129286a7de

SHA1
0e6966d75b0abcff24a32072defcfb261654ff17

SHA256
ea0f041f0df2a22513318c95deeb48c87e648ac351ddd834d91550e09e55afa1

SHA512
91f9528f78af7fda8b37cd6fd305bfd2f7b6a85bc1ea7c6da5a2af26f800d0da96521f41301c040ddfad7ef0fc6097236d7f6bef860d320a40c7ba69aac8fcfd

Download Submit
memory/3060-133-0x0000000000000000-mapping.dmp

Download
memory/4244-140-0x0000000073B00000-0x00000000740B1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-143-0x0000000072F00000-0x0000000072F5B000-memory.dmp

Filesize
364KB

Download
memory/4244-144-0x0000000073B00000-0x00000000740B1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-139-0x0000000073B00000-0x00000000740B1000-memory.dmp

Filesize
5.7MB

Download
memory/4244-136-0x0000000000000000-mapping.dmp

Download
memory/4384-132-0x00007FFEC7460000-0x00007FFEC7E96000-memory.dmp

Filesize
10.2MB

Download
memory/4864-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing