afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce

General

Target

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
Size

279KB
MD5

d3ece560d7a18b6c0d948a6c6302ec4f
SHA1

acf5e9b9e5093091fc726745bd8ff089a3040934
SHA256

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce
SHA512

e23eccb408c71b1abb574968ae21a2a8dbeb7857c95b0efcbe5acd68a077deb454be9a30915ba1a1ef668e17c4e39a792b57fbbec748bd23392f64d4dab7e58e
SSDEEP

6144:x1dlZro5yiyA4AvxE+faCHPJKUuM5NbRtELCe:x1dlZo5yiytAvpPJK4zwLD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Register.exeexplorer.exeWindows8LoopbackManager.exe

pid process

1932 Register.exe
5064 explorer.exe
2116 Windows8LoopbackManager.exe

pid	process
1932	Register.exe
5064	explorer.exe
2116	Windows8LoopbackManager.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exeRegister.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Register.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Register.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1932	Register.exe
Token: 33	1932	Register.exe
Token: SeIncBasePriorityPrivilege	1932	Register.exe
Token: SeDebugPrivilege	5064	explorer.exe
Token: 33	5064	explorer.exe
Token: SeIncBasePriorityPrivilege	5064	explorer.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exeRegister.exe

description	pid	process	target process
PID 1256 wrote to memory of 1932	1256	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 1256 wrote to memory of 1932	1256	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 1932 wrote to memory of 5064	1932	Register.exe	explorer.exe
PID 1932 wrote to memory of 5064	1932	Register.exe	explorer.exe
PID 1256 wrote to memory of 2116	1256	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 1256 wrote to memory of 2116	1256	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 1256 wrote to memory of 2116	1256	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe

C:\Users\Admin\AppData\Local\Temp\afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
"C:\Users\Admin\AppData\Local\Temp\afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\Register.exe
"C:\Users\Admin\AppData\Local\Temp\Register.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe
"C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe"
2⤵
- Executes dropped EXE
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Register.exe
Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Register.exe
Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe
Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe
Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
memory/1932-139-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-145-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-135-0x0000000000000000-mapping.dmp

Download
memory/1932-138-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/2116-146-0x0000000000000000-mapping.dmp

Download
memory/2116-149-0x00000000009F0000-0x0000000000A24000-memory.dmp

Filesize
208KB

Download
memory/2116-150-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

Filesize
32KB

Download
memory/2116-151-0x00000000098B0000-0x00000000098E8000-memory.dmp

Filesize
224KB

Download
memory/2116-152-0x0000000009880000-0x000000000988E000-memory.dmp

Filesize
56KB

Download
memory/5064-140-0x0000000000000000-mapping.dmp

Download
memory/5064-143-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-144-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads