d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9

General

Target

d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe
Size

913KB
MD5

67de448a65e1e16d4a1d6f5a65b4c61a
SHA1

ab7166a256aad0180e46e88d2169b4cadaf1ebf4
SHA256

d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9
SHA512

47f477732c88f3e7f99273c4dbd563dfd288be342af08bbca60e1020e65b4d32199b85bf6a15cbe93f6e4e0e47d42915b1a42b5e2ed5193aaf30d888e38cc29e
SSDEEP

12288:yK2mhAMJ/cPltTiD8/HBP7v8h7UZYE82Y5UKUL4n4y3Xp3SbSl/ADUnr:z2O/GltWD8fBPA7g6zwm4m53Sb2YDUnr

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lokdpnhssmcq.exe

pid process

4536 lokdpnhssmcq.exe

pid	process
4536	lokdpnhssmcq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lokdpnhssmcq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	lokdpnhssmcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\I5D9G4~1 = "C:\\Users\\Admin\\I5D9G4~1\\nspfptok.vbs"	lokdpnhssmcq.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

lokdpnhssmcq.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lokdpnhssmcq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

lokdpnhssmcq.exe

pid process

4536 lokdpnhssmcq.exe
4536 lokdpnhssmcq.exe
4536 lokdpnhssmcq.exe
4536 lokdpnhssmcq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lokdpnhssmcq.exe

pid	process
4536	lokdpnhssmcq.exe
4536	lokdpnhssmcq.exe
4536	lokdpnhssmcq.exe
4536	lokdpnhssmcq.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exelokdpnhssmcq.exe

description	pid	process	target process
PID 1352 wrote to memory of 4536	1352	d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe	lokdpnhssmcq.exe
PID 1352 wrote to memory of 4536	1352	d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe	lokdpnhssmcq.exe
PID 1352 wrote to memory of 4536	1352	d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe	lokdpnhssmcq.exe
PID 4536 wrote to memory of 4388	4536	lokdpnhssmcq.exe	RegSvcs.exe
PID 4536 wrote to memory of 4388	4536	lokdpnhssmcq.exe	RegSvcs.exe
PID 4536 wrote to memory of 4388	4536	lokdpnhssmcq.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe
"C:\Users\Admin\AppData\Local\Temp\d3bd8aa9d23c6f86b88662ba478209a3d54d0aea368eeffd4af95fee851e3bc9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe
"C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe" mevvzby
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\I5D9G4~1\gjsenxmaomap.UOX
Filesize
89B

MD5
6555605040d90d02e35161f27518821f

SHA1
8979afd72300842935326852bb4bdcd28040c27f

SHA256
87acbecbc873d2523c8937afb7a79ce8a724c96863030552510b71ebfb39d654

SHA512
8aaf385bd1e9e35982799722caf7d384208bb1ddb9718a6d20772e26fb37376fe7108f8ed4c5eb18275c7de78041f72c4e059d93b527a8eb1a595e8dfd8f28a7

Download Submit
C:\Users\Admin\I5D9G4~1\yweh.BZK
Filesize
84KB

MD5
a3996a84f8c3744b541d3388bcdda83c

SHA1
80b28686fdb20bd666a199860af5d48caa3a57d1

SHA256
a8190c726d39e659579a4705ed113b900257e50eb83f626df90e82b179b18fe6

SHA512
c04ead0005b5697f8c38b8e13456a9172d0106219db444294b8bcd90ca172ef6598c179f566ee0a8ff6c834c59a7053aef1f3453e442063fcf0db989eef85527

Download Submit
C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\i5d9g4jxa83i\lokdpnhssmcq.exe
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\i5d9g4jxa83i\mevvzby
Filesize
646.8MB

MD5
e9ca388696fb78f1ada8e734de03885e

SHA1
7676ce9afc658edece20ef05c57bb9cf5fa22b0a

SHA256
a47b9aff9070bbca23bd4610bffd2f8a71fb11ad4f009a2dcfee7903883b9d69

SHA512
bc84e2e71c92086c594c30a9ab3c2e7884f706c47540ba6be58938c515393645ae728ec334954ba5fa193dd1f1798c453fdbeaa81eb182f7856b71d1a88ef980

Download Submit
memory/4388-138-0x0000000000000000-mapping.dmp

Download
memory/4536-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads