f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d

General

Target

f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
Size

4.2MB
MD5

4d7d8ac837650c855e1e8c7906947ef6
SHA1

a4dedd6894536f76bae99fa2c034a1be5015308c
SHA256

f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d
SHA512

9674eed9e4efd647a644bf2520dbf8f7ef0b434b558f58a141553c1b0a279fe614cf3a9e21df5b3b3b32cc82c34db78c3cf7c89c0fe31839140a5f8e30c67ab7
SSDEEP

98304:ful+CxSktOO7BOBsGstsuGRZsi0/mh/ZMFidqll5UoL27wnvvMo+A:mlLx5F6sGstiyilwod4UoLyws+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2276	uiso95pes.exe
2080	sof.exe
4496	uiso95pes.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	sof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3768	2080	WerFault.exe	80

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2092	ipconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2080	sof.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 2276	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	79
PID 3340 wrote to memory of 2276	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	79
PID 3340 wrote to memory of 2276	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	79
PID 3340 wrote to memory of 2080	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	80
PID 3340 wrote to memory of 2080	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	80
PID 3340 wrote to memory of 2080	3340	f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe	80
PID 2276 wrote to memory of 4496	2276	uiso95pes.exe	81
PID 2276 wrote to memory of 4496	2276	uiso95pes.exe	81
PID 2276 wrote to memory of 4496	2276	uiso95pes.exe	81
PID 2080 wrote to memory of 2092	2080	sof.exe	82
PID 2080 wrote to memory of 2092	2080	sof.exe	82
PID 2080 wrote to memory of 2092	2080	sof.exe	82

C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe
"C:\Users\Admin\AppData\Local\Temp\f5c2308a61ec4340c0c0acfa76d055219af805d511197a826531e6f7f0c0263d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe
  "C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp" /SL5="$80046,3553095,123904,C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe"
    3⤵
    - Executes dropped EXE
    PID:4496
- C:\Users\Admin\AppData\Local\Temp\sof.exe
  "C:\Users\Admin\AppData\Local\Temp\sof.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1192
    3⤵
    - Program crash
    PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2080 -ip 2080
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp

Filesize
755KB

MD5
2262d317a3ea3901675f5b5a8bc8d405

SHA1
a91298e5024f4df91e9c93dc0816634157318282

SHA256
43121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88

SHA512
5a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L8N29.tmp\uiso95pes.tmp

Filesize
755KB

MD5
2262d317a3ea3901675f5b5a8bc8d405

SHA1
a91298e5024f4df91e9c93dc0816634157318282

SHA256
43121ebd3bd259fd66e00a67c8c7dec7a3c2b6d2aa74b52e6a9ffbe96001ad88

SHA512
5a4591ac400965f1c34d3f3f967999f5927f322c2ceac79732f9229b1ad371b49a3a905f343a9374197421bb9895c47056d2b142eedf3f96122eec02c12c3136

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
524KB

MD5
813e75848f38ee4d4d564beeed0e720d

SHA1
14e8113567eb158690aa84d60c0eb24f6ea7304f

SHA256
93cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818

SHA512
f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sof.exe

Filesize
524KB

MD5
813e75848f38ee4d4d564beeed0e720d

SHA1
14e8113567eb158690aa84d60c0eb24f6ea7304f

SHA256
93cfa338cba8a05fa74b32fa8688d4095d9c4d0356f0a29011ad871877638818

SHA512
f277b00a1827051339d059575b83339b96228fac0908536d6be30d6e9b1cb47a6574408bac49e70b91b00ad937c9a67102caa05809a055bca2249503d85a9c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe

Filesize
3.8MB

MD5
272e3a615f6e850e8d3c7821fab908a1

SHA1
dce740201bdadbf97d7e07e6525f86d34b41cbf3

SHA256
6da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2

SHA512
216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiso95pes.exe

Filesize
3.8MB

MD5
272e3a615f6e850e8d3c7821fab908a1

SHA1
dce740201bdadbf97d7e07e6525f86d34b41cbf3

SHA256
6da1790e67538fb1528ac6dfe92556fe28c5cdd87f3a8e1112c50bba6e7da6b2

SHA512
216d4e3e1015ccf7665061b483b06eb83ef69b9b35d68cb396a5862f9d84da4f401b0bd2aff2b3c43b21de5e2a898f81cf02def68b5be254dd06c143d998a2c5

Download Submit
memory/2276-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2276-145-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2276-147-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads