e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29

General

Target

e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
Size

1.5MB
MD5

2f6ccb5b5f083968f8204170446fe9dd
SHA1

73c6503bc55d3f25f58ec52a5bf4cec0c36fa92d
SHA256

e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29
SHA512

b9ecee88b2bf9c81f02f1e0d5ae54ccfd8bf9eba954b6d26777e58fc6b68756056d2a57d5e984eff8dafcd4a1fb0d3237e39f20668be7d266a715bab8cc76177
SSDEEP

12288:BiLU0kdBD418gmvwTdhnwHUW+pk4DBbdq+UfbKnVr3eM1QKa+ppVIL/NgP2LMzx2:BiyoOoDn5ndG+rzCFDfa35qywLV

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 1 IoCs

pid	Process
1992	2164f74c.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2204	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmxgl32 = "rundll32.exe pmxgl32.dll,efar"	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ef32a57a.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File opened for modification	C:\Windows\SysWOW64\ef32a57a.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File created	C:\Windows\SysWOW64\e1eb4e61.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File opened for modification	C:\Windows\SysWOW64\e1eb4e61.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File created	C:\Windows\SysWOW64\31dbedf5.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File opened for modification	C:\Windows\SysWOW64\31dbedf5.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File created	C:\Windows\SysWOW64\pmxgl32.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
File opened for modification	C:\Windows\SysWOW64\pmxgl32.dll	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1008	sc.exe
4316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 2204	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	79
PID 5032 wrote to memory of 2204	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	79
PID 5032 wrote to memory of 2204	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	79
PID 5032 wrote to memory of 1008	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	81
PID 5032 wrote to memory of 1008	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	81
PID 5032 wrote to memory of 1008	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	81
PID 5032 wrote to memory of 4316	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	83
PID 5032 wrote to memory of 4316	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	83
PID 5032 wrote to memory of 4316	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	83
PID 5032 wrote to memory of 1992	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	85
PID 5032 wrote to memory of 1992	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	85
PID 5032 wrote to memory of 1992	5032	e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe	85

C:\Users\Admin\AppData\Local\Temp\e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe
"C:\Users\Admin\AppData\Local\Temp\e5abbfa66996958380a9ebe7b92f2e7879ad26787dbebb396dbe9651fcec8c29.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall add portopening TCP 1561 messenger
  2⤵
  - Modifies Windows Firewall
  PID:2204
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create pmxgl32 type= share start= auto DisplayName= "Visioneer Device Micro Driver DLL" group= "Event Log" binPath= "rundll32.exe C:\Windows\system32\pmxgl32.dll,efar"
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description pmxgl32 "Visioneer Device Micro Driver DLL"
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\2164f74c.exe
  "C:\Users\Admin\AppData\Local\Temp\2164f74c.exe"
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2164f74c.exe

Filesize
1.3MB

MD5
718a093896de7c5d42a0ce2b3262d722

SHA1
206fa7b48bf0c4daf8486e5debf4a6d33fc10d11

SHA256
76e68ddd1931808842042ba6dc4cc0bcba635c95b8fdab1e9283dbecee9ce5a1

SHA512
659bdf27177b90b2fd62d7be08973957d5076df42467e9d90d5750b9a8b2ab8f0e81f59240e10423a15e8824404d7b20b9cc743c40bfa3352ea1c04163a3da90

Download Submit
C:\Users\Admin\AppData\Local\Temp\2164f74c.exe

Filesize
1.3MB

MD5
718a093896de7c5d42a0ce2b3262d722

SHA1
206fa7b48bf0c4daf8486e5debf4a6d33fc10d11

SHA256
76e68ddd1931808842042ba6dc4cc0bcba635c95b8fdab1e9283dbecee9ce5a1

SHA512
659bdf27177b90b2fd62d7be08973957d5076df42467e9d90d5750b9a8b2ab8f0e81f59240e10423a15e8824404d7b20b9cc743c40bfa3352ea1c04163a3da90

Download Submit
memory/1992-140-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/5032-132-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5032-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing