2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab

General

Target

2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe
Size

571KB
MD5

ddc2bdd1851d6d064f63d17ee5b19e2c
SHA1

c18f6b3b04bd8f4e721f6bc81ccf6d6a697cad14
SHA256

2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab
SHA512

08fb95e78b12441035a8aef283d220e41da8f78e7fde9c375ab32a18821915decfccb20a53757cc4840de083fdc70540a22bc1e2894090958cee6a0119dc2fd6
SSDEEP

12288:8JYWSbl0beVWj/6//wL0d/lTNR1RDPm+iMrYYdJ16DPR+xUUbEr:8iObYW2//i0bNR1Q+iEXcZqUr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1720	makejob.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ucheck = "\"C:\\Users\\Admin\\AppData\\Roaming\\temp\\makejob.exe\" -tn \"Update checker\" -ds \"Adobe Update Validation Checker\" -tr \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\Services.exe\" -sc \"MINUTE\" -mo \"30\" "	makejob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 3624	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	84
PID 3524 wrote to memory of 3624	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	84
PID 3524 wrote to memory of 3624	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	84
PID 3624 wrote to memory of 1720	3624	cmd.exe	86
PID 3624 wrote to memory of 1720	3624	cmd.exe	86
PID 3624 wrote to memory of 1720	3624	cmd.exe	86
PID 3524 wrote to memory of 2508	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	88
PID 3524 wrote to memory of 2508	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	88
PID 3524 wrote to memory of 2508	3524	2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe	88

C:\Users\Admin\AppData\Local\Temp\2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe
"C:\Users\Admin\AppData\Local\Temp\2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\checkrun.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Users\Admin\AppData\Roaming\temp\makejob.exe
    makejob.exe -is ucheck -tn "Update checker" -ds "Adobe Update Validation Checker" -tr "C:\Users\Admin\AppData\Roaming\Adobe\Updates\Services.exe" -sc MINUTE -mo 30
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\end.bat" "C:\Users\Admin\AppData\Local\Temp\2de677c2ed2fe1e2ae3410582198f74119f24a512fac7768156cb9dfdbeb3cab.exe""
  2⤵
  PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\temp\adobe.exe

Filesize
396KB

MD5
c6ecf4889c11cdd0fbc1fba386bff47f

SHA1
6b5ca84806966db8a8fc4ab4f84974f140a516a7

SHA256
29ffe21a9ed2cffa3dc9a724346b1f113ce78fc3150bf2c0d047a7b89e57edcd

SHA512
1072aada0eb0b1b1f19e68797da379eea2f73a138931a9fb3597124e7f20dd381d98c7c4cce4bf9e60ee39df2d8fedce937c05357fb044b504171d29fa03a494

Download Submit
C:\Users\Admin\AppData\Roaming\temp\checkrun.bat

Filesize
354B

MD5
30297c668c73d482c5606a12fc1c85f1

SHA1
fe1e30c3389e75d211172b55bd25f528419e869d

SHA256
d7d7694657aa04fe463bebe843cdedcf26fd22f05add4bd65331deabfda25b88

SHA512
6a50b00c0bdc95d600dd4bc63f58bf020efebaf0f36290eb88de65eef54217054de0bee863905b58a88460ab019d851b116dcf4884390fac9250092ee4717431

Download Submit
C:\Users\Admin\AppData\Roaming\temp\end.bat

Filesize
68B

MD5
c55a47701a471702af217c16224964e0

SHA1
329fa22bb3f2d84f02b5f66b385e6ee678c959f8

SHA256
a9adfc8c078eece80223839ef3192ceb374ffc512d55cb39213909d81e5d988e

SHA512
39f38d2d2a3ced3d69c5e4d2545fb33da1ad56dc94c03b221d6ee6e4aee7614cedb2092fdf60a91137b534aa859976709f8c02b8c872339a7a2cfbea6d672b28

Download Submit
C:\Users\Admin\AppData\Roaming\temp\makejob.exe

Filesize
511KB

MD5
482b902b7b2e4c67162e79d1be20f914

SHA1
101f7f8c245abc32b9d333d5c01e065b2b1babbc

SHA256
c6e4e8b47ae3325ce37364116eaea18519b3d979b36a0dd4de38f6f62a9f6302

SHA512
fbe2daa8844a236da643d0038b36cc726d74881778cfcad4ffebffc9439c2d28ce3989d8f6dc87530c665bfd9661c57a986a6569236ae86dc5b770c7598e1a46

Download Submit
C:\Users\Admin\AppData\Roaming\temp\makejob.exe

Filesize
511KB

MD5
482b902b7b2e4c67162e79d1be20f914

SHA1
101f7f8c245abc32b9d333d5c01e065b2b1babbc

SHA256
c6e4e8b47ae3325ce37364116eaea18519b3d979b36a0dd4de38f6f62a9f6302

SHA512
fbe2daa8844a236da643d0038b36cc726d74881778cfcad4ffebffc9439c2d28ce3989d8f6dc87530c665bfd9661c57a986a6569236ae86dc5b770c7598e1a46

Download Submit

Analysis

Sharing