ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e

General

Target

ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe
Size

524KB
MD5

563a78dbdefb0b84b0867012c17a576a
SHA1

b16f104864521f6add79b2c407eecf18e3b7f265
SHA256

ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e
SHA512

77401bc8aaf1c92b1d1f7b249107ad6d892899b1d11ef396b7e6f748d243f59778effd665403b4303d7968bf595f09f819979d97adf855a995827e0f3bbe1282
SSDEEP

12288:AJuKBAjsT2ws4GrRu2QRqxqlOy8AF05yHk67zR960LF:AJuXsTuRRu2wqNGIyHr96i

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	s5859.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	s5859.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s5859.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	s5859.exe
File created	C:\Windows\assembly\Desktop.ini	s5859.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s5859.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	4720	WerFault.exe	78

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4720	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe
4720	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe
3192	s5859.exe
3192	s5859.exe
3192	s5859.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	s5859.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3192	s5859.exe
3192	s5859.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3192	4720	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe	79
PID 4720 wrote to memory of 3192	4720	ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe	79

C:\Users\Admin\AppData\Local\Temp\ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe
"C:\Users\Admin\AppData\Local\Temp\ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\n5859\s5859.exe
  "C:\Users\Admin\AppData\Local\Temp\n5859\s5859.exe" ins.exe /e 12487288 /t 533b0a349d79abc5738b46a1 /u e79b5525-92fa-11e3-8a58-80c16e6f498c /h 46aff3.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\ad91b712173cfe6d4222fc1e3588fe28f5897bac7c7b368d599ee80a1bd7a97e.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 3856
  2⤵
  - Program crash
  PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4720 -ip 4720
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n5859\s5859.exe

Filesize
339KB

MD5
7bfe6bbe12a10323b0aa5c1bad6ecd5b

SHA1
7ce4508ddfa0200a95cdbfbe66c4c6b5a8b87122

SHA256
f15a491ef671ebddcc3710a4817244c18fe1a5dd444c83137c2fbd601d1c7214

SHA512
bf0438520ade14a53c7d8a76b7f7e3d8eec9060003954e0da1ee17ed5db024c44a28bae23ebfaa006fd50da400faf9fc77a4dcb1071d0501d753b47a6146d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5859\s5859.exe

Filesize
339KB

MD5
7bfe6bbe12a10323b0aa5c1bad6ecd5b

SHA1
7ce4508ddfa0200a95cdbfbe66c4c6b5a8b87122

SHA256
f15a491ef671ebddcc3710a4817244c18fe1a5dd444c83137c2fbd601d1c7214

SHA512
bf0438520ade14a53c7d8a76b7f7e3d8eec9060003954e0da1ee17ed5db024c44a28bae23ebfaa006fd50da400faf9fc77a4dcb1071d0501d753b47a6146d5d7

Download Submit
memory/3192-135-0x00007FFBC73C0000-0x00007FFBC7DF6000-memory.dmp

Filesize
10.2MB

Download
memory/3192-136-0x000000000100A000-0x000000000100F000-memory.dmp

Filesize
20KB

Download
memory/3192-137-0x000000000100A000-0x000000000100F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads