917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a

General

Target

917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe
Size

1000KB
MD5

e77476b186670f1baa5050a284ca2621
SHA1

9b4cd2414ba42dfda684b5b6c04d64a0654692a0
SHA256

917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a
SHA512

68aeeaa346c08f508f691ec2ce2564a44b146141443e6f99abbe80e174a5c15956ac71deea79b469dc6789c9f1677809f21b76ac7f056f7a3b55d3bcc5a70548
SSDEEP

12288:LiJq+i49rL8zXWLqUThQFi06R6t3uBHEtUdYqAZGZSmcAUWNrPd5NXnEkCNbaqh0:l+yzXWLqUrR6duBktXXflo3XEkT661yK

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ICRTool.exe1.Exeadsl.exe

pid process

2600 ICRTool.exe
4464 1.Exe
1336 adsl.exe

pid	process
2600	ICRTool.exe
4464	1.Exe
1336	adsl.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.Exe	upx
C:\Users\Admin\AppData\Local\Temp\1.Exe	upx
behavioral2/memory/4464-138-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Dir\adsl.exe	upx
C:\Users\Admin\AppData\Roaming\Dir\adsl.exe	upx
behavioral2/memory/1336-147-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4464-148-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/1336-150-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adsl.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\windows\CurrentVersion\Run	adsl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adsl = "C:\\Users\\Admin\\AppData\\Roaming\\Dir\\adsl.exe"	adsl.exe

Drops file in Program Files directory 7 IoCs

Processes:

1.Exe

description	ioc	process
File created	C:\Program Files\LimeWire\Shared\Mirc.exe	1.Exe
File created	C:\Program Files\eDonkey2000\Mirc.exe	1.Exe
File created	C:\Program Files\eMule\Incoming\Mirc.exe	1.Exe
File created	C:\Program Files\Morpheus\My Shared Folder\Mirc.exe	1.Exe
File created	C:\Program Files\Bearshare\Shared\kespersky Keys Generator.exee	1.Exe
File created	C:\Program Files\Kazaa\My Shared Folder\Mirc.exe	1.Exe
File created	C:\Program Files\Ares\My Shared Folder\Mirc.exe	1.Exe

Drops file in Windows directory 2 IoCs

Processes:

adsl.exe

description ioc process

File created C:\Windows\Dated.dat adsl.exe
File opened for modification C:\Windows\Dated.dat adsl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1.Exeadsl.exe

pid process

4464 1.Exe
4464 1.Exe
1336 adsl.exe
1336 adsl.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

1.ExeICRTool.exeadsl.exe

pid process

4464 1.Exe
2600 ICRTool.exe
2600 ICRTool.exe
2600 ICRTool.exe
4464 1.Exe
1336 adsl.exe
1336 adsl.exe
2600 ICRTool.exe

description	ioc	process
File created	C:\Windows\Dated.dat	adsl.exe
File opened for modification	C:\Windows\Dated.dat	adsl.exe

pid	process
4464	1.Exe
4464	1.Exe
1336	adsl.exe
1336	adsl.exe

pid	process
4464	1.Exe
2600	ICRTool.exe
2600	ICRTool.exe
2600	ICRTool.exe
4464	1.Exe
1336	adsl.exe
1336	adsl.exe
2600	ICRTool.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe1.Exe

description	pid	process	target process
PID 4108 wrote to memory of 2600	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	ICRTool.exe
PID 4108 wrote to memory of 2600	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	ICRTool.exe
PID 4108 wrote to memory of 2600	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	ICRTool.exe
PID 4108 wrote to memory of 4464	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	1.Exe
PID 4108 wrote to memory of 4464	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	1.Exe
PID 4108 wrote to memory of 4464	4108	917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe	1.Exe
PID 4464 wrote to memory of 1336	4464	1.Exe	adsl.exe
PID 4464 wrote to memory of 1336	4464	1.Exe	adsl.exe
PID 4464 wrote to memory of 1336	4464	1.Exe	adsl.exe
PID 4464 wrote to memory of 4328	4464	1.Exe	cmd.exe
PID 4464 wrote to memory of 4328	4464	1.Exe	cmd.exe
PID 4464 wrote to memory of 4328	4464	1.Exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe
"C:\Users\Admin\AppData\Local\Temp\917892e6af07431cb9efe5145319102c15d9600362284d237d1bba1fc7ee7f9a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\ICRTool.exe
"C:\Users\Admin\AppData\Local\Temp\ICRTool.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Users\Admin\AppData\Local\Temp\1.Exe
"C:\Users\Admin\AppData\Local\Temp\1.Exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Roaming\Dir\adsl.exe
C:\Users\Admin\AppData\Roaming\Dir\adsl.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\runner.bat
3⤵
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.Exe
Filesize
72KB

MD5
b976048472489843ff64c6ac5b7fd970

SHA1
9736dd5cf496db8e0e200a90f761ee5d62e4af36

SHA256
2beeca2791c7eba3aab4707d5305abb7fa22139279b87122f7ef0911061f0bc5

SHA512
cf6478351867d12c81f34680b97900126266ad7292bafb4707a95a8d203ce62bb5634109bc7acd6809b3cda6ad020e667cb9911e0edef2f096f09e38818deb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.Exe
Filesize
72KB

MD5
b976048472489843ff64c6ac5b7fd970

SHA1
9736dd5cf496db8e0e200a90f761ee5d62e4af36

SHA256
2beeca2791c7eba3aab4707d5305abb7fa22139279b87122f7ef0911061f0bc5

SHA512
cf6478351867d12c81f34680b97900126266ad7292bafb4707a95a8d203ce62bb5634109bc7acd6809b3cda6ad020e667cb9911e0edef2f096f09e38818deb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICRTool.exe
Filesize
2.0MB

MD5
d1c60d84122c0aa0d442b98014eb6b2e

SHA1
62af0be3eafeade02b09bf93c4d3bad60a59f97e

SHA256
23209ea52cb88f9c60e318034fe1f4e0c224eea46087ecfa7f2830e4c75fd8b5

SHA512
0e45da48919af15351c60832c83ad9a15dc2232cc9b0b1703b33e34beebce6f9a5db94bfc784e5e215ea650e53be691b8a8b3ddad0179252f4c88f9fcf2fb096

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICRTool.exe
Filesize
2.0MB

MD5
d1c60d84122c0aa0d442b98014eb6b2e

SHA1
62af0be3eafeade02b09bf93c4d3bad60a59f97e

SHA256
23209ea52cb88f9c60e318034fe1f4e0c224eea46087ecfa7f2830e4c75fd8b5

SHA512
0e45da48919af15351c60832c83ad9a15dc2232cc9b0b1703b33e34beebce6f9a5db94bfc784e5e215ea650e53be691b8a8b3ddad0179252f4c88f9fcf2fb096

Download Submit
C:\Users\Admin\AppData\Roaming\Dir\adsl.exe
Filesize
72KB

MD5
b976048472489843ff64c6ac5b7fd970

SHA1
9736dd5cf496db8e0e200a90f761ee5d62e4af36

SHA256
2beeca2791c7eba3aab4707d5305abb7fa22139279b87122f7ef0911061f0bc5

SHA512
cf6478351867d12c81f34680b97900126266ad7292bafb4707a95a8d203ce62bb5634109bc7acd6809b3cda6ad020e667cb9911e0edef2f096f09e38818deb30

Download Submit
C:\Users\Admin\AppData\Roaming\Dir\adsl.exe
Filesize
72KB

MD5
b976048472489843ff64c6ac5b7fd970

SHA1
9736dd5cf496db8e0e200a90f761ee5d62e4af36

SHA256
2beeca2791c7eba3aab4707d5305abb7fa22139279b87122f7ef0911061f0bc5

SHA512
cf6478351867d12c81f34680b97900126266ad7292bafb4707a95a8d203ce62bb5634109bc7acd6809b3cda6ad020e667cb9911e0edef2f096f09e38818deb30

Download Submit
C:\runner.bat
Filesize
47B

MD5
c8452f596ec88e053c71798b94ee3b8f

SHA1
10afe72a49b8dbc57953c1568a89f2098019841d

SHA256
0e36388f7d4cb8b4dfaabc776f83c91f97de6a8597b7791189a2666f9caded27

SHA512
1376262be3ee1501ce78997affb7cda7f3800ba0d708851815d7c2f0207b1372ec9bdc4256d63943e8c66fd190b6ec956d97f1697591fc878bfef1ffba466c38

Download Submit
memory/1336-150-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1336-141-0x0000000000000000-mapping.dmp

Download
memory/1336-147-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2600-132-0x0000000000000000-mapping.dmp

Download
memory/4328-146-0x0000000000000000-mapping.dmp

Download
memory/4464-135-0x0000000000000000-mapping.dmp

Download
memory/4464-148-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4464-138-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads