250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3

General

Target

250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
Size

646KB
MD5

4f75a4f0e4223d49c9c1f83eda657087
SHA1

70f5045c407146676e55c2311f75adc52851b85b
SHA256

250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3
SHA512

87b92943e01ac3c3305ddc57d22984401b86577fd081d82d2fb1b102cb8ceb8bc1d2a267934d5c300db7a78fe1c8402844a8321cee0cfc9b727317caa6547f74
SSDEEP

12288:b1dlZo5y8E3k12MgGiFELWGgkeMzlELnqRs+gN/61XhhOzkoDQQyazsB3t:b1dlZo51HcKLvcMzlYTBS1Xhhkki6v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2284	Hackweball.exe
212	server.exe
3096	WerFault.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4080	212	WerFault.exe	86
3896	3096	WerFault.exe	91

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2284	Hackweball.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2284	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	84
PID 1172 wrote to memory of 2284	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	84
PID 1172 wrote to memory of 2284	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	84
PID 1172 wrote to memory of 212	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	86
PID 1172 wrote to memory of 212	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	86
PID 1172 wrote to memory of 212	1172	250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe	86
PID 212 wrote to memory of 3096	212	server.exe	91
PID 212 wrote to memory of 3096	212	server.exe	91
PID 212 wrote to memory of 3096	212	server.exe	91

C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe
"C:\Users\Admin\AppData\Local\Temp\250c115026418da43315dbed4400eef962ce0bac146cdae45bfb76b2fc8655e3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Extracted\Hackweball.exe
  "C:\Extracted\Hackweball.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2284
- C:\Extracted\server.exe
  "C:\Extracted\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:212
- - \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Native\STUBEXE\8.0.1112\@SYSTEM@\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 268
    3⤵
    - Executes dropped EXE
    PID:3096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 244
      4⤵
      Program crash
      PID:3896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 268
    3⤵
    - Program crash
    PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3096 -ip 3096
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Hackweball.exe

Filesize
224KB

MD5
c9741e5cf9c1e529f9777de1701f8375

SHA1
cd0e97823bb155f1724b134a929306be4ec536bf

SHA256
f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

SHA512
b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

Download Submit
C:\Extracted\Hackweball.exe

Filesize
224KB

MD5
c9741e5cf9c1e529f9777de1701f8375

SHA1
cd0e97823bb155f1724b134a929306be4ec536bf

SHA256
f72c799c6f71e09fb23a5a8d208537f03e86aca525a7455b6a508c65ac5004ae

SHA512
b5437fe7326f487c4a4f48f55a64b4758bc0a0fdc62bbc7336976ff328ad9222e2b32699f4f6121f4e87ed4afc2a26c86fe5b989f4791c7408ebc6b7d2b06f40

Download Submit
C:\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
C:\Extracted\server.exe

Filesize
394KB

MD5
4564a9fcbd275eebde0ec8bcddf39561

SHA1
e61782d6214dfc59717db6229cdbc2f6b7a5c67b

SHA256
5a1d3b16641fbd535645e3e9713e125844d030d47ce621b87b4dcfe9329b123f

SHA512
d96e074444bc9ca412c30d2c33842540b24f1cdaa257c6fc057e4e464233d5dd7fc541c4feb4a8a8dc3b3ad0aded25f5ebf091738e2ff02ab04026cc3687899c

Download Submit
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\1.0.0.0\2010.08.28T11.10\Native\STUBEXE\8.0.1112\@SYSTEM@\WerFault.exe

Filesize
17KB

MD5
c37751e63d0f180084c8a5f2dfff5452

SHA1
83e02a73a5f34e7eec96b1230add056e6da9f875

SHA256
0e3e35d13da331685cd361c228c299a91b1c82171fdc57c5ccdcf62474ded88d

SHA512
de93c5c3b90d7d4bf77755ba581e6e0a70376a5ff07a2ead83c977bdeeb7912f92d191b993d5faac4e9dbd0c1f58a2f915ffd72dcd6b3c4eeaaee5b1cd16fa21

Download Submit
memory/212-140-0x00000000006B0000-0x0000000000722000-memory.dmp

Filesize
456KB

Download
memory/212-144-0x00000000006B0000-0x0000000000722000-memory.dmp

Filesize
456KB

Download
memory/3096-143-0x0000000000680000-0x00000000006F2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing