0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a

General

Target

0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
Size

1.1MB
MD5

53aca4da80bf2521c5f3a26574f177ba
SHA1

4f3bb2b512eeaf98799dcf459672ffc0af320c2d
SHA256

0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a
SHA512

6f81474df3956c399a5470423f5af3eed05121bf8679faf34635b7b6468925024bd9c99ca98b36f6c2402792e872a98afd8adf1f3d6f34a3de06db4eb5cf2422
SSDEEP

24576:QxgMEQ9wZsvXDj+nknKSOTVRVZVEMDbCIJXHAkZaEeMn22kND:QAGvTqnI3OTVRPZCcXjZ+u22kx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe

pid	process
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe

description	pid	process
Token: SeDebugPrivilege	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
Token: 33	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
Token: SeIncBasePriorityPrivilege	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 1780	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	cmd.exe
PID 4828 wrote to memory of 1780	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	cmd.exe
PID 4828 wrote to memory of 1780	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	cmd.exe
PID 1780 wrote to memory of 1356	1780	cmd.exe	wscript.exe
PID 1780 wrote to memory of 1356	1780	cmd.exe	wscript.exe
PID 1780 wrote to memory of 1356	1780	cmd.exe	wscript.exe
PID 4828 wrote to memory of 3008	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	svhost.exe
PID 4828 wrote to memory of 3008	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	svhost.exe
PID 4828 wrote to memory of 3008	4828	0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe
"C:\Users\Admin\AppData\Local\Temp\0fbeb844654606eed61148438cc493e325db2de39bbe3c45bb9453182ee51a0a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
3⤵
- Checks computer location settings
PID:1356

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
2⤵
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat
Filesize
288B

MD5
4a4f147418dd55a3c5ad7f79a7ce828d

SHA1
1d48f12cd714d430e7ae251bb03e790b04f72deb

SHA256
b6461dd8fb99f05cd1203b3af14988e543135e26805cfdc18ccf54e4a8e95226

SHA512
4cb8e61a797a9fc99821e893b8f9db36765388646a990be00126aaa4968b37c575632d1fd5d5b2dd1f2a006ab0939500f8de2b7e3d30a42ddb9f74a2f44cc064

Download Submit
memory/1356-135-0x0000000000000000-mapping.dmp

Download
memory/1780-133-0x0000000000000000-mapping.dmp

Download
memory/3008-136-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4828-139-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4828-140-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads