dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5

General

Target

dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe
Size

330KB
MD5

0c2dc92fbfa0d7071145c664f2999c20
SHA1

83104011a28cd95c31616966d848afa1de76c13d
SHA256

dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5
SHA512

481c285bfe30b81aac8fbf8a9538033dbb1ce61d4ee0f010cbdfa2d5b99b2b2b365ca071dbb894366dec87a341507a8b1fdfed7028a5bb61f14e58e0685f83a6
SSDEEP

6144:5R2zz4VTBnsjABRiIi60nWUrKZ1jOWQwn1NQfSSr719kyezarWrcjF:ChjABRPh0/mUw1NcprZ9kRayrcp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4796	Rundll32.exe
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3452	svchost.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SetuperLy\svchost.com	Rundll32.exe
File created	C:\Windows\SysWOW64\SetuperLy\ScheTime.bat	Rundll32.exe
File created	C:\Windows\SysWOW64\SetuperLy\killallQQ.bat	Rundll32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3452	svchost.com
3452	svchost.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3452	svchost.com

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE
3064	521DNF-GEÐÞ¸ÄÆ÷.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4796	Rundll32.exe
3452	svchost.com
3452	svchost.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 4796	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	83
PID 872 wrote to memory of 4796	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	83
PID 872 wrote to memory of 4796	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	83
PID 872 wrote to memory of 3064	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	84
PID 872 wrote to memory of 3064	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	84
PID 872 wrote to memory of 3064	872	dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe	84
PID 4796 wrote to memory of 2272	4796	Rundll32.exe	85
PID 4796 wrote to memory of 2272	4796	Rundll32.exe	85
PID 4796 wrote to memory of 2272	4796	Rundll32.exe	85
PID 4796 wrote to memory of 3452	4796	Rundll32.exe	86
PID 4796 wrote to memory of 3452	4796	Rundll32.exe	86
PID 4796 wrote to memory of 3452	4796	Rundll32.exe	86
PID 2272 wrote to memory of 5084	2272	cmd.exe	88
PID 2272 wrote to memory of 5084	2272	cmd.exe	88
PID 2272 wrote to memory of 5084	2272	cmd.exe	88
PID 2272 wrote to memory of 2160	2272	cmd.exe	89
PID 2272 wrote to memory of 2160	2272	cmd.exe	89
PID 2272 wrote to memory of 2160	2272	cmd.exe	89
PID 2160 wrote to memory of 1316	2160	net.exe	90
PID 2160 wrote to memory of 1316	2160	net.exe	90
PID 2160 wrote to memory of 1316	2160	net.exe	90
PID 4796 wrote to memory of 2732	4796	Rundll32.exe	93
PID 4796 wrote to memory of 2732	4796	Rundll32.exe	93
PID 4796 wrote to memory of 2732	4796	Rundll32.exe	93

C:\Users\Admin\AppData\Local\Temp\dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe
"C:\Users\Admin\AppData\Local\Temp\dadaef047aecefee26af6279a1d2e5f5d2b3de71c6a81024cc10f797250d95d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\Rundll32.exe
  "C:\Users\Admin\AppData\Local\Temp\Rundll32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\SetuperLy\ScheTime.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= AUTO
      4⤵
      Launches sc.exe
      PID:5084
  - - C:\Windows\SysWOW64\net.exe
      net start schedule
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start schedule
        5⤵
        
        PID:1316
- - C:\Windows\SysWOW64\SetuperLy\svchost.com
    C:\Windows\system32\SetuperLy\svchost.com
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\SetuperLy\killallQQ.bat
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\521DNF-GEÐÞ¸ÄÆ÷.EXE
  "C:\Users\Admin\AppData\Local\Temp\521DNF-GEÐÞ¸ÄÆ÷.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\521DNF-GEÐÞ¸ÄÆ÷.EXE

Filesize
269KB

MD5
7bdd3e5f304e7b41a354531323f1ea24

SHA1
aacb63f11192659446eb10b31ff65b203959924c

SHA256
fdd7a35ce536aff0d8c438e75751d143fc67424b85ef6907127fd3b387a9bebb

SHA512
30f26b20097c0d78678d9603607da093a781770ad5d4e4ab76feed5f7f6a703e7e10a511afc0fcc9da6cae89a9ec23a38cc81c56b704f77a2d038c4ce54fb908

Download Submit
C:\Users\Admin\AppData\Local\Temp\521DNF-GEÐÞ¸ÄÆ÷.EXE

Filesize
269KB

MD5
7bdd3e5f304e7b41a354531323f1ea24

SHA1
aacb63f11192659446eb10b31ff65b203959924c

SHA256
fdd7a35ce536aff0d8c438e75751d143fc67424b85ef6907127fd3b387a9bebb

SHA512
30f26b20097c0d78678d9603607da093a781770ad5d4e4ab76feed5f7f6a703e7e10a511afc0fcc9da6cae89a9ec23a38cc81c56b704f77a2d038c4ce54fb908

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundll32.exe

Filesize
29KB

MD5
4b5697f7086b34c3ee18397f31b3240c

SHA1
fc01121b317bb04a0077c82dbfd0598e6efb49ed

SHA256
c0fc800a4d5f06d393f2209626e9e8228e7a69ae93751c6e86989bb623f7e064

SHA512
db1b97e7e722437aa9b733ace64924a0652ed55dacdfed4286fa683bb3c9f6c6bb504d79cc3e7ff89d5347f5f3ab54c110211dab5a2e1cc3de7bbe6e7b79e22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rundll32.exe

Filesize
29KB

MD5
4b5697f7086b34c3ee18397f31b3240c

SHA1
fc01121b317bb04a0077c82dbfd0598e6efb49ed

SHA256
c0fc800a4d5f06d393f2209626e9e8228e7a69ae93751c6e86989bb623f7e064

SHA512
db1b97e7e722437aa9b733ace64924a0652ed55dacdfed4286fa683bb3c9f6c6bb504d79cc3e7ff89d5347f5f3ab54c110211dab5a2e1cc3de7bbe6e7b79e22c

Download Submit
C:\Windows\SysWOW64\SetuperLy\ScheTime.bat

Filesize
4KB

MD5
a170312d65cb7aea9f57e5eb50639518

SHA1
70afb413d170c3d764fd7d89bbeb97ad7c1e4ebb

SHA256
f38487898f74ccc279ff0650e93c970729e82dffdff75ff92f3a732291d1fbe9

SHA512
83dfcc36f4ce14db8b18e3c5a78032ff25a8026ebe38d2846268bc9e7115cd5404932853df83af38f943916695badbec5ee38dffaaddb72f965398e37e6686c7

Download Submit
C:\Windows\SysWOW64\SetuperLy\killallQQ.bat

Filesize
256B

MD5
13cb177d26af9976e872a8b5b010615e

SHA1
fcb5394d508630e3ccc22c5a45edb77e3dbeecb5

SHA256
f856375a4e4a1827c91207237e1438bf451e9a9f99c940406ef9d4f602b47324

SHA512
0997a42fe1301bed7d44c7cbf289ff07d0a7cd354335cec55c940d9e98bb79aa982f40088e097cfddbb118ad2efd1e5351ffc0dc4f370415ad4d591551623dab

Download Submit
C:\Windows\SysWOW64\SetuperLy\svchost.com

Filesize
20KB

MD5
d38b5219c928de444b5f92a3a0916c14

SHA1
e325e5619fbf8a8df5eabf6cd11ff2afde592cc7

SHA256
7a842999eb73af5f6248ef827d09755ede8f5b5f1890b77b162add81fd0a7259

SHA512
b3915dc6be2f3131ef6d5ed5c73a4ec82a612a56c169f0cecb3676dd3b7baeb63a48711255dfdea6e4979f96d34e66e11ad6a936ea97befdeea5693a1ab15f7e

Download Submit
C:\Windows\SysWOW64\SetuperLy\svchost.com

Filesize
20KB

MD5
d38b5219c928de444b5f92a3a0916c14

SHA1
e325e5619fbf8a8df5eabf6cd11ff2afde592cc7

SHA256
7a842999eb73af5f6248ef827d09755ede8f5b5f1890b77b162add81fd0a7259

SHA512
b3915dc6be2f3131ef6d5ed5c73a4ec82a612a56c169f0cecb3676dd3b7baeb63a48711255dfdea6e4979f96d34e66e11ad6a936ea97befdeea5693a1ab15f7e

Download Submit
memory/1316-151-0x0000000000000000-mapping.dmp

Download
memory/2160-150-0x0000000000000000-mapping.dmp

Download
memory/2272-141-0x0000000000000000-mapping.dmp

Download
memory/2732-152-0x0000000000000000-mapping.dmp

Download
memory/3064-135-0x0000000000000000-mapping.dmp

Download
memory/3452-142-0x0000000000000000-mapping.dmp

Download
memory/3452-147-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3452-155-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4796-132-0x0000000000000000-mapping.dmp

Download
memory/4796-140-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4796-154-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5084-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing