ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68

General

Target

ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe
Size

16.2MB
MD5

029c5055974ee6fc6df0b6fe5a1c3cd6
SHA1

06addb3c85ca775121c8fec0043c3bb59e54d71c
SHA256

ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68
SHA512

bfc9e1fc336601f9f5a03775e4d58a746b97b09ceb93ea204ff2100229ed9103e5d6b8bdd912ee688e7910112adcd029398e40c939f4ef5fc16a29411d7dea31
SSDEEP

393216:sGS2dxWG0JoK/l9eTlvtaTnf+x6ZaNm+xZ3ujvMuyGLzfFW8zt1eqL:sGtfWG0Jou298TCtNmSZ34vhLbFb3V

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3656	Setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe

Loads dropped DLL 5 IoCs

pid	Process
1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe
1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe
3656	Setup.exe
3656	Setup.exe
3656	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe
1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 3656	1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe	82
PID 1244 wrote to memory of 3656	1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe	82
PID 1244 wrote to memory of 3656	1244	ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe	82

C:\Users\Admin\AppData\Local\Temp\ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe
"C:\Users\Admin\AppData\Local\Temp\ad60c5930c75d46439141531135d0397eda61c2aac6153ce3f984a5350881d68.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\Origin\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Origin\Setup.exe" /launcherTime=240598125
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Origin\Setup.exe

Filesize
15.8MB

MD5
789ff24f3a0bfa579c209b27a2a76141

SHA1
b85f99f8cc5a10b132c2cbeb544f6b79decdc765

SHA256
41787bafe68c97e8e02b73d91b1d80d9431b17c8ad8239eda655b2239da5d650

SHA512
9a992e2cd33266610a1d95f932407cb02796058dff19a5e80774b7fd9f83bd960602a6e089da03355a34b23f472ff6461ac77bc55bf294dd3f4596e1828dd45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\Setup.exe

Filesize
15.8MB

MD5
789ff24f3a0bfa579c209b27a2a76141

SHA1
b85f99f8cc5a10b132c2cbeb544f6b79decdc765

SHA256
41787bafe68c97e8e02b73d91b1d80d9431b17c8ad8239eda655b2239da5d650

SHA512
9a992e2cd33266610a1d95f932407cb02796058dff19a5e80774b7fd9f83bd960602a6e089da03355a34b23f472ff6461ac77bc55bf294dd3f4596e1828dd45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\installerdll240598125.dll

Filesize
1.9MB

MD5
8cf0d9e014240f5d3d3fe8027e1b815f

SHA1
f8c7aaec9eb8c1153cd957765b10365101b72847

SHA256
b09998cb2311e9d87aa663a0cd82fb2bc97b3e04dbecc35b22c1d2e8f43b6771

SHA512
125da64c8eadb2286147a46fe105e79e7e9486e2b2c88788167778a540d5b7b96949ca8566146ecde5e191f626992091818b4dd98e82bc5fb44424a48f9f6ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\nsa3C01.tmp\System.dll

Filesize
11KB

MD5
1290200e40ae16a493b89ccf4173e81e

SHA1
bcbc4e9515a0add11aa8cc2554545436a2ee5884

SHA256
b8813d15f9a843a555dd3fa1c83eb0965807946d61b5eae9b5b285f7d56c9ba8

SHA512
a5b056379535285731cbe59b1fd749c0cfcadcacd2a8c8337795cc6cc313fc6dd0e8cf18dd9a2ed9ef39674f9a3349274c4734f67bde8ce2300dd6cc71955511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\nsoDC0A.tmp\System.dll

Filesize
11KB

MD5
1290200e40ae16a493b89ccf4173e81e

SHA1
bcbc4e9515a0add11aa8cc2554545436a2ee5884

SHA256
b8813d15f9a843a555dd3fa1c83eb0965807946d61b5eae9b5b285f7d56c9ba8

SHA512
a5b056379535285731cbe59b1fd749c0cfcadcacd2a8c8337795cc6cc313fc6dd0e8cf18dd9a2ed9ef39674f9a3349274c4734f67bde8ce2300dd6cc71955511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\nsoDC0A.tmp\UserInfo.dll

Filesize
4KB

MD5
d49f4084090a5d1918db65cf5559e431

SHA1
f90ac39aff7608a6ab7b685bf7fa8740a104485c

SHA256
d588140a504322e672409aa4bc8a9aa398f36b9846e9a651a24246d8cae29507

SHA512
d01496b67ea5552e1fcd9762d4080b84cb6cb8779ced92394846b89cc8b08eb47fdb07317b41696ee5f9c61c52694331d3255cd49b482c9dbe24dca3d79954d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Origin\nsoDC0A.tmp\UserInfo.dll

Filesize
4KB

MD5
d49f4084090a5d1918db65cf5559e431

SHA1
f90ac39aff7608a6ab7b685bf7fa8740a104485c

SHA256
d588140a504322e672409aa4bc8a9aa398f36b9846e9a651a24246d8cae29507

SHA512
d01496b67ea5552e1fcd9762d4080b84cb6cb8779ced92394846b89cc8b08eb47fdb07317b41696ee5f9c61c52694331d3255cd49b482c9dbe24dca3d79954d3

Download Submit
memory/3656-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing