8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d

General

Target

8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
Size

109KB
MD5

2cc89125f41c7f0b43a2270bab95f59b
SHA1

52872c01673f3de64f2abcb038bd2ad2f19c9b71
SHA256

8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d
SHA512

b7cbc407caf3a3ec10e73561c06daf1dd4af851d6e1c77d6fa7d6fab91c50bf3a3f1f7c10670d161c70ba5c84e9ac07ffd1263b298a9949c45321f22920a1dd9
SSDEEP

1536:onX6P2JU6nCbtEDbPjg5shQ/G1VyZJAVY53rfL8iL/3p5PKtOPc6BVWFyVsG:HOJU6n+irC8VyZGVw7L8iLBYtIHUyVd

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Unicode_Normalization\pARAMETERS\sERVICEdLL = "C:\\Windows\\system32\\softpus.dll"	regsvr32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	regsvr32.exe
2888	Svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\softpus.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\softpus.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3196	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
744	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2248	PING.EXE
3952	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	tasklist.exe
Token: SeDebugPrivilege	744	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1028	4868	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	81
PID 4868 wrote to memory of 1028	4868	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	81
PID 4868 wrote to memory of 1028	4868	8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe	81
PID 1028 wrote to memory of 3260	1028	WScript.exe	82
PID 1028 wrote to memory of 3260	1028	WScript.exe	82
PID 1028 wrote to memory of 3260	1028	WScript.exe	82
PID 3260 wrote to memory of 2216	3260	cmd.exe	84
PID 3260 wrote to memory of 2216	3260	cmd.exe	84
PID 3260 wrote to memory of 2216	3260	cmd.exe	84
PID 3260 wrote to memory of 2248	3260	cmd.exe	85
PID 3260 wrote to memory of 2248	3260	cmd.exe	85
PID 3260 wrote to memory of 2248	3260	cmd.exe	85
PID 3260 wrote to memory of 3196	3260	cmd.exe	87
PID 3260 wrote to memory of 3196	3260	cmd.exe	87
PID 3260 wrote to memory of 3196	3260	cmd.exe	87
PID 3260 wrote to memory of 3952	3260	cmd.exe	88
PID 3260 wrote to memory of 3952	3260	cmd.exe	88
PID 3260 wrote to memory of 3952	3260	cmd.exe	88
PID 3260 wrote to memory of 744	3260	cmd.exe	92
PID 3260 wrote to memory of 744	3260	cmd.exe	92
PID 3260 wrote to memory of 744	3260	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe
"C:\Users\Admin\AppData\Local\Temp\8589f3241162d90ad2be553b5fe6888bbcd68680c4f491aac4aee40fe7fd384d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hy.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c hy.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 hy.dll
      4⤵
      Sets DLL path for service in the registry
      Loads dropped DLL
      Drops file in System32 directory
      PID:2216
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2248
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im regsvr32.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:744

C:\Windows\SysWOW64\Svchost.exe
C:\Windows\SysWOW64\Svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hy.bat

Filesize
144B

MD5
f36b3892cd11fe578eadf0d4e49ebd70

SHA1
e25898f1e58ecac39b050c6461e0e95dbf9eb70e

SHA256
a4868b4d6a8bc27c4a4aee08bd04749dc37bdf24c43f036d9fde99c9542ca9e7

SHA512
900a1d0daead103b03e14927caf915d27d0a2b73148a18e5adb635366bded86442d8cf618f65eda63eb8ff255750541ae155a01710c1ed62e1294449f81c1e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hy.vbs

Filesize
51B

MD5
b622ecd01880270e1625c337249ba7d3

SHA1
f1dad85b2dfa56d2b3ae507765ec96c56e51eb9c

SHA256
d6d1f72224e9db4edbdf2bc900a816d3fe6aa95a9f547a10216a78d6ea722588

SHA512
1a36d8781dc3fdf55b520ace190fe14b8787432b27ffc3b99104a40feb0abf1128c200e977ceb27cf31e9c80edac97eb28e5f11e935d839869b2a8b7550ffde0

Download Submit
C:\Windows\SysWOW64\softpus.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit
\??\c:\windows\SysWOW64\softpus.dll

Filesize
63KB

MD5
dd61d349a7c099442135a102cbd342a4

SHA1
fb9d361235f1954abd1842971e6c3bbf6d8981e5

SHA256
86c9490bb84e0fdbf60cbd36eeda4390a810b0a92b3e33dac6679e27060a03c3

SHA512
54366ab8bafbe89bf58285f032a6ae84465731f6595d3a572271a3b6693c7204f39a1a10062df4f703f8292e2313fbad8cf933d7a280a4a67408c1290bce40cf

Download Submit

Analysis

Sharing