21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7

General

Target

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
Size

25KB
MD5

57c678211dda0d349e2d9d2a25116a19
SHA1

77971234309f22074587833f1284bb4dc66923a4
SHA256

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7
SHA512

c83b19fd53177e43d4f69c7a7a6d55bdd9220034ec46eebf732b1e34271e0af6f608509931440c1ade08816b1919e4ca57328acccc2c5ce1fd2d71e6f31f7c51
SSDEEP

384:hUmKnSZYRuVh7f0EYw+BrkylhOLX4+l6BU0NTy93SKUW:9uSZwuLD0xw3qOLo/lTyM7W

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

clientex.exe

pid process

544 clientex.exe

pid	process
544	clientex.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

Drops file in System32 directory 1 IoCs

Processes:

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

description ioc process

File created C:\Windows\SysWOW64\clientex.exe 21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clientex.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

Drops file in Program Files directory 64 IoCs

Processes:

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

pid process

4656 21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

pid	process
4656	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe

description	pid	process	target process
PID 4656 wrote to memory of 544	4656	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe	clientex.exe
PID 4656 wrote to memory of 544	4656	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe	clientex.exe
PID 4656 wrote to memory of 544	4656	21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe	clientex.exe

C:\Users\Admin\AppData\Local\Temp\21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe
"C:\Users\Admin\AppData\Local\Temp\21de28db3ad1a8f37c75daf03be5e6c4d706b8ab3afa8392d49c6d59ac092ae7.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\clientex.exe
"C:\Windows\system32\clientex.exe"
2⤵
- Executes dropped EXE
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\clientex.exe
Filesize
25KB

MD5
c94f7d4b7ba3f5f93477951e6b0b4a21

SHA1
bb6f5bd2abfddec2d05b2866a11a15adf8b0f09a

SHA256
1618d40508a729b45e8869f86c684b419fbc628237317c63a3dca51633836633

SHA512
1ebf68e988af6805cff5869cf8cdd6d989a6b7ba52b8d51f3505f3736aaed6331ebb0333eb523159f7175326b82b6eaa7eac1cc60cbfae6ecda8cd311d651181

Download Submit
C:\Windows\SysWOW64\clientex.exe
Filesize
25KB

MD5
c94f7d4b7ba3f5f93477951e6b0b4a21

SHA1
bb6f5bd2abfddec2d05b2866a11a15adf8b0f09a

SHA256
1618d40508a729b45e8869f86c684b419fbc628237317c63a3dca51633836633

SHA512
1ebf68e988af6805cff5869cf8cdd6d989a6b7ba52b8d51f3505f3736aaed6331ebb0333eb523159f7175326b82b6eaa7eac1cc60cbfae6ecda8cd311d651181

Download Submit
memory/544-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads