c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782

General

Target

c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
Size

613KB
MD5

b06127ff0c2c975d92c80c48c4a7fffc
SHA1

1cce9115692d54425240392ea5fde7035eba4516
SHA256

c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782
SHA512

904dbbfe25bbe46fa9f5e7e87d998cf4fe692ed0f5c1fc241f3190ad3902f0ee7080e86bbeffcf24e11f57ebee0d5ae6da54d8c917158f387f245bbff92e6e58
SSDEEP

12288:vR9PHPCR9PRPCR9PBPCR9PZPCR9PZPCR9PjPCR9PbPCR9PPPCR9PvPCR9P:vRMRiRWR6R+RMRwRAR0R

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3868	notpad.exe
3704	tmp240592750.exe
1108	tmp240592812.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000400000001e64d-133.dat	upx
behavioral2/files/0x000400000001e64d-134.dat	upx
behavioral2/memory/3868-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
File created	C:\Windows\SysWOW64\fsb.tmp	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
File created	C:\Windows\SysWOW64\notpad.exe	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
File created	C:\Windows\SysWOW64\notpad.exe-	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 3868	616	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe	80
PID 616 wrote to memory of 3868	616	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe	80
PID 616 wrote to memory of 3868	616	c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe	80
PID 3868 wrote to memory of 3704	3868	notpad.exe	81
PID 3868 wrote to memory of 3704	3868	notpad.exe	81
PID 3868 wrote to memory of 3704	3868	notpad.exe	81
PID 3868 wrote to memory of 1108	3868	notpad.exe	82
PID 3868 wrote to memory of 1108	3868	notpad.exe	82
PID 3868 wrote to memory of 1108	3868	notpad.exe	82

C:\Users\Admin\AppData\Local\Temp\c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe
"C:\Users\Admin\AppData\Local\Temp\c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe
    3⤵
    - Executes dropped EXE
    PID:3704
- - C:\Users\Admin\AppData\Local\Temp\tmp240592812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592812.exe
    3⤵
    - Executes dropped EXE
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe

Filesize
613KB

MD5
b06127ff0c2c975d92c80c48c4a7fffc

SHA1
1cce9115692d54425240392ea5fde7035eba4516

SHA256
c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782

SHA512
904dbbfe25bbe46fa9f5e7e87d998cf4fe692ed0f5c1fc241f3190ad3902f0ee7080e86bbeffcf24e11f57ebee0d5ae6da54d8c917158f387f245bbff92e6e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592750.exe

Filesize
613KB

MD5
b06127ff0c2c975d92c80c48c4a7fffc

SHA1
1cce9115692d54425240392ea5fde7035eba4516

SHA256
c5e0ea4d9d81433e0b6ec0b99fa0c3106173d5fb5949dc6b098816ce41d4d782

SHA512
904dbbfe25bbe46fa9f5e7e87d998cf4fe692ed0f5c1fc241f3190ad3902f0ee7080e86bbeffcf24e11f57ebee0d5ae6da54d8c917158f387f245bbff92e6e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240592812.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
786KB

MD5
f2ef17504bb5a6537933d322b3c6494b

SHA1
1329ef363ff3feb9ad627dd13adb9b164e98b9fe

SHA256
2d96f1dc24710bec5fb8932a33c7def65783be72c1db3063433616f2ca223eb3

SHA512
ad595c94c63433e955425a69a092f04820c6d735c1c31cc5da6bffdda07777a459af8916c14b3121a0311d5b663c0ca7d2020931ed519bc13fa6e1505cfef986

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
786KB

MD5
f2ef17504bb5a6537933d322b3c6494b

SHA1
1329ef363ff3feb9ad627dd13adb9b164e98b9fe

SHA256
2d96f1dc24710bec5fb8932a33c7def65783be72c1db3063433616f2ca223eb3

SHA512
ad595c94c63433e955425a69a092f04820c6d735c1c31cc5da6bffdda07777a459af8916c14b3121a0311d5b663c0ca7d2020931ed519bc13fa6e1505cfef986

Download Submit
memory/3868-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing