fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497

General

Target

fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
Size

403KB
MD5

488b894db215a769112d6137122fa7b3
SHA1

a0457680f5dd5341bd58b2579456ce4b1249ede7
SHA256

fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497
SHA512

dd6f13fafd6434944181faa0fe778d8208d3cf62e5c2073ee6c5c96fade1d3c17e75e5a9aaa937c546d1aa704c5a70a3e7773e2c4f8bdfa3ed2137c64f4cf9a5
SSDEEP

6144:rPEwiS2+fdX1yrNM9I5QpO64tpan0sxK0fEKIypQV5lr3:zXBpO6GCOXRwfTqVz

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\68BJ06~1.EXE"	backgroundTaskHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
1036	backgroundTaskHost.exe
1036	backgroundTaskHost.exe
1036	backgroundTaskHost.exe
1036	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 1036	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	82
PID 2932 wrote to memory of 4224	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	83
PID 2932 wrote to memory of 4224	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	83
PID 2932 wrote to memory of 4224	2932	fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe	83
PID 4224 wrote to memory of 3796	4224	cmd.exe	87
PID 4224 wrote to memory of 3796	4224	cmd.exe	87
PID 4224 wrote to memory of 3796	4224	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe
"C:\Users\Admin\AppData\Local\Temp\fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "backgroundTaskHost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bitA69F.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\fa9a25aabc6f04f477733304101bc5c0fb9f52a4f873f4152bb62611e01ef497.exe"
    3⤵
    - Views/modifies file attributes
    PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\68bj0606d.exe

Filesize
403KB

MD5
d381636a180785ed83d78d9e988e1d38

SHA1
8703e7d0ff27448b1f1d5f9dd320ca2e2914eb6a

SHA256
0773f829266f7f01c14f2c76ee00f479dfc89e3cee1b3b54c31f048fcba159f4

SHA512
0b605868d0a227f8de42c962a976b55f2bd3a00b76eef20e03a5dabbe78b6f420f8f37d8ea71e6daa4f48ae1278d6ca2410cac3788a2d487b584fc5c7bb28498

Download Submit
C:\Users\Admin\AppData\Local\Temp\3492473cd35c8bdceed8

Filesize
28B

MD5
27967c2dea8afa8c7c20d1963922bb5d

SHA1
9cfd2ca7762e921901deb82c70306a4079ca86a4

SHA256
839fc9bcd2859b45c306b5a02c8cf9ae14760238f6cd30c04fd85ead216786a4

SHA512
a726bcc8bc03d582beac15f100b2f8c20e004a3c6294ddf66ba91ea345d26fd1c16ce36db5248f48b24d9778d2389cd3545000a588cb29649a14aaf8e6a392c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitA69F.tmp.bat

Filesize
56B

MD5
315a7d26dbf683006504d6a8529454ff

SHA1
262165b20355ef426d8c11a92d6fe7e43d14fb5e

SHA256
c94969634fe1dc721e2d4bc6fbccc36a544c2b74f0ca5b57566a9f2f42282446

SHA512
1d9e77f14c07d286a85481295158b552fc08c38e97acb62c1a32fcf1b2ff035563bca80311cf99dd6715e882576735dcf15c7bb9c5c8594a6d32f44500cde035

Download Submit
memory/1036-135-0x0000000000F40000-0x0000000000F40008-memory.dmp

Filesize
8B

Download
memory/1036-136-0x0000000001360000-0x00000000013D9000-memory.dmp

Filesize
484KB

Download
memory/1036-138-0x0000000001360000-0x000000000138F000-memory.dmp

Filesize
188KB

Download
memory/1036-139-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/1036-140-0x0000000001360000-0x000000000138F000-memory.dmp

Filesize
188KB

Download
memory/2932-132-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2932-143-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2932-133-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads