91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0

General

Target

91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
Size

367KB
MD5

73cd715094f2de0ef393e0fcb900434a
SHA1

c154b55a5e5ecab16f7b823552861d4d2c5268da
SHA256

91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0
SHA512

7114230f658bf8a633842800299cc45af6ee5a0ea94cd3c9a8100b88cb4ba6780aa5706b19a28209c3e2c79f42542d1e6f2434a745993f9f9d24600031507e7e
SSDEEP

6144:J1dlZro5yiOXUf80T2RwpF4qxTp5TRV2X4NpiVuesYUCpll:J1dlZo5yDAiwp/TptRoX47iwesYll

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3848	144.exe
1136	server.exe
376	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	144.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\fõBŸ*á•¸5Áå¬áPµäü¤Á©ÑŽœ7az$°é¯‚2î¿.Up<®$ÆÖ7 ´._aQ}œ¼:¿™±€àl„0Ìàÿ	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1136	server.exe
1136	server.exe
1136	server.exe
1136	server.exe
376	server.exe
376	server.exe
376	server.exe
376	server.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3848	5076	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	82
PID 5076 wrote to memory of 3848	5076	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	82
PID 5076 wrote to memory of 3848	5076	91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe	82
PID 3848 wrote to memory of 1136	3848	144.exe	83
PID 3848 wrote to memory of 1136	3848	144.exe	83
PID 3848 wrote to memory of 1136	3848	144.exe	83
PID 1136 wrote to memory of 784	1136	server.exe	35
PID 1136 wrote to memory of 784	1136	server.exe	35
PID 1136 wrote to memory of 784	1136	server.exe	35
PID 1136 wrote to memory of 784	1136	server.exe	35
PID 3848 wrote to memory of 376	3848	144.exe	85
PID 3848 wrote to memory of 376	3848	144.exe	85
PID 3848 wrote to memory of 376	3848	144.exe	85
PID 376 wrote to memory of 784	376	server.exe	35
PID 376 wrote to memory of 784	376	server.exe	35
PID 376 wrote to memory of 784	376	server.exe	35
PID 376 wrote to memory of 784	376	server.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe
  "C:\Users\Admin\AppData\Local\Temp\91efea42fecceb536239ffd59dc9c0ab873ee744ce2b64ee0e7ea31bc9564cc0.exe"
  2⤵
  - Checks computer location settings
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Extracted\144.exe
    "C:\Extracted\144.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
C:\Extracted\144.exe

Filesize
260KB

MD5
4e584da0797d689f6c4a6c6d683618ae

SHA1
371e4cb7065883d5a3d52fbc97bdb38639207177

SHA256
ac2e48d514efc085960a28422fcfb17599b8d4cb9c5f6b15a90ca3faf6fd1da3

SHA512
9b393d1579736c4bcb1673affae86d5cd526ac9c972d13d102cd9fe859f23d23e8a9835201e7a7f4d4b70826db1d33e1c746fb71c36bd5e286cd385cbc39c816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
54KB

MD5
5f940a94edf0727a59f16cc502b9d06b

SHA1
120446a9aa80d6603ed1ced908b81b7669ad8256

SHA256
59cdbdba69bb680b54156f35d26514305fe75886a03054a25bca3af138f12ef6

SHA512
f048cfb986723a354cf2715c5f201e47519bcf36fe96616ace56745b6957067c2aeba3fbc2c6a0f98d951072e9b88b16e73d665c4f63ae4cdd8fbaedf8a03271

Download Submit
memory/376-153-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/376-152-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/376-150-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/784-145-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1136-146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1136-142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1136-147-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3848-143-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/3848-144-0x00000000009F0000-0x0000000000A29000-memory.dmp

Filesize
228KB

Download
memory/3848-138-0x00000000009F0000-0x0000000000A29000-memory.dmp

Filesize
228KB

Download
memory/3848-137-0x0000000000520000-0x0000000000524000-memory.dmp

Filesize
16KB

Download
memory/3848-136-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/3848-135-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/3848-154-0x0000000001000000-0x000000000107C000-memory.dmp

Filesize
496KB

Download
memory/3848-155-0x00000000009F0000-0x0000000000A29000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing