ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb

General

Target

ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe
Size

1.1MB
MD5

1243a29740ecb429476b44651cc29408
SHA1

11581943aae80fbe3c9f7841372f6864b0cea90f
SHA256

ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb
SHA512

34f94e0bda8c907466f08d186d07c2bb86fe86ffbd1830ef1ff0871ad6d913d19daa734266a25498172133cc4adfbd82c782cfe385b20bc04b035cef3cd8e141
SSDEEP

24576:st24ofv5yEEbW0+pNPKqZilRAu7IXmF+OSgLpz4T3eJGi:WonbEtEVKmu7q8cT3zi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1648	ucabc.cmd
4600	ucabc.cmd

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ucabc.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\dktog\\ucabc.cmd C:\\Users\\Admin\\AppData\\Roaming\\dktog\\apewn.rmb"	ucabc.cmd

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 2276	4600	ucabc.cmd	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	2276	WerFault.exe	81

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1648	2736	ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe	78
PID 2736 wrote to memory of 1648	2736	ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe	78
PID 2736 wrote to memory of 1648	2736	ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe	78
PID 1648 wrote to memory of 4600	1648	ucabc.cmd	80
PID 1648 wrote to memory of 4600	1648	ucabc.cmd	80
PID 1648 wrote to memory of 4600	1648	ucabc.cmd	80
PID 4600 wrote to memory of 2276	4600	ucabc.cmd	81
PID 4600 wrote to memory of 2276	4600	ucabc.cmd	81
PID 4600 wrote to memory of 2276	4600	ucabc.cmd	81
PID 4600 wrote to memory of 2276	4600	ucabc.cmd	81

C:\Users\Admin\AppData\Local\Temp\ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe
"C:\Users\Admin\AppData\Local\Temp\ee485630c7d062d58cda6b5cf11375bff1ba8137a7bac5965645f0f2c6b8d0bb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd
  "C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd" apewn.rmb
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd
    C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd C:\Users\Admin\AppData\Roaming\dktog\LULKO
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:2276
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 80
        5⤵
        Program crash
        
        PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2276 -ip 2276
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dktog\LULKO

Filesize
117KB

MD5
26b4a17150fd293003f10de5e27585b8

SHA1
59a4e7426526b0a18158b4163eed8e2d5a2561d6

SHA256
082b41f71cc5a5118e1f70f49e059763d48fc072e7fc28f8efb11076537461f3

SHA512
231ae48c34ae97d14b0205ee7dcf7c04cb37f222647a8e5c449d230a538c92be10d1783bb398b0e28e845de6b5eb4060ade962927f7aa92dca18edeb4cc6723f

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\YMQGIX

Filesize
27KB

MD5
d42742b4154180ecf6f1f62a71d6f15d

SHA1
24dcdb5dd4364e3d252f2fd3c5dbd5fba6a0f539

SHA256
3078f9138b6f2bd60f902e1c97632b839cf6442f589c90ecff11b87d414f2e50

SHA512
5cc112f7d94b4b6087d996057d0c2d201f1354c55db3ecc615989ef61f5b5acffb3dd8287e130a7e6ac56badc88e0e1636ce41b24c6887e98ac78a14693dcdc9

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\apewn.rmb

Filesize
87KB

MD5
a20e7d261e3641103f188d51cf43fe03

SHA1
45c07be82aeb3d3618ac46a6888ebd091b6becfc

SHA256
ff0614327ed94a008255d1f8544472a7196a2d13e57deee926c7c39662ecf855

SHA512
399ab2aa66c55f35c654d217a321bf551a5fb6a6a9404f3348dacdf7dc62b4545807d32be6d0fc223f7911f23e1b8929e5d62e994e394b58804d44b3c946b12e

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\eafkx.swq

Filesize
117KB

MD5
031ba0b27c27a92e747ca922a4762821

SHA1
e29f098643f9f4431f12790fc302a636a806463e

SHA256
403b59b76a47f76f7ebe2b99e311609bfbdd76917fb95479750774853fc30a85

SHA512
e1f0ce3e1929ff6cb771e19a9f5e1c40a908e260435973d5f4ef58463b5df0e77cc9427b8d24082f94acbbaa406c54a7bbf010bf50969db67432a3504b066f17

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\rbxlm

Filesize
271KB

MD5
447de2b6246f434182293a78954480ef

SHA1
8395ab6d0c70a38ae20ea2ee37b235470189d80b

SHA256
8ecdfcaad18e2d2d1a9e614e25df8d76bd5910a90c843acfecd2a97640c51f60

SHA512
df4c9d29201a7dfda38e55307bd203ea419bd34936950a4a0689bf2b9263958ff7d19dd8073199445eff7a268d84b34de74e853f0d999b7816cabbeb285510c4

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\dktog\ucabc.cmd

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit

Analysis

Sharing