82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

General

Target

82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
Size

1.6MB
MD5

eadb15713eac3cdd68ba2894159c712a
SHA1

5d5e3b7f6fb857962e4e0bae1621f92c6d079a5c
SHA256

82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c
SHA512

c361424c7fc256197857be6cb29527bb977dbb2a78e5ad84421f81becf973d2a70e26e7aa149706357b3c78457c09e7b91d72348bbc505b8fbf76e95e79c405b
SSDEEP

49152:Xz1Yx8+L3BF4oyfKjyecVkpmldm+kzTSC:XhW9K5ijypCpmi+kzTx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5072	harmacrypter.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	harmacrypter.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DC-START = "C:\\Program Files (x86)\\update3.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\__tmp_rar_sfx_access_check_240589250	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
File created	\??\c:\windows\SysWOW64\harmacrypter.exe	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
File opened for modification	\??\c:\windows\SysWOW64\harmacrypter.exe	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winupdate.exe	harmacrypter.exe
File created	C:\Program Files (x86)\update3.exe	harmacrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2496	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	harmacrypter.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 5072	4264	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	80
PID 4264 wrote to memory of 5072	4264	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	80
PID 4264 wrote to memory of 5072	4264	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	80
PID 5072 wrote to memory of 2784	5072	harmacrypter.exe	89
PID 5072 wrote to memory of 2784	5072	harmacrypter.exe	89
PID 5072 wrote to memory of 2784	5072	harmacrypter.exe	89
PID 5072 wrote to memory of 2980	5072	harmacrypter.exe	91
PID 5072 wrote to memory of 2980	5072	harmacrypter.exe	91
PID 5072 wrote to memory of 2980	5072	harmacrypter.exe	91
PID 2980 wrote to memory of 2496	2980	cmd.exe	93
PID 2980 wrote to memory of 2496	2980	cmd.exe	93
PID 2980 wrote to memory of 2496	2980	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
"C:\Users\Admin\AppData\Local\Temp\82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4264
- C:\windows\SysWOW64\harmacrypter.exe
  "C:\windows\system32\harmacrypter.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files (x86)\Winupdate.exe
    "C:\Program Files (x86)\Winupdate.exe"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "DC-START" /t REG_SZ /d "C:\Program Files (x86)\update3.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "DC-START" /t REG_SZ /d "C:\Program Files (x86)\update3.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
C:\windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
memory/5072-135-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-136-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-139-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads