a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467

General

Target

a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe
Size

648KB
MD5

cd443bced7b6bb622996d5094bc2efa5
SHA1

1abf435e863f5ed9c6410cf411bda86847302791
SHA256

a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467
SHA512

7978825ab7b4a106986379b38498b184bc6da81200a743072b36ea5a98d365133cf307d75ee981c3f332d465eda5126d2235f6dc7d7f4538e4cc4f8697ad42d7
SSDEEP

12288:MtLb0Rb/Eba3gNSV2TgoV4G+RG9arpUxhElrcaSt2aKO5XiYHxU:0Lb0RbqSr72aryxScNtAO5yYH2

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5072	keygen.exe
872	hhh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c00000002171d-133.dat	upx
behavioral2/files/0x000c00000002171d-134.dat	upx
behavioral2/memory/5072-139-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral2/memory/5072-142-0x0000000000400000-0x000000000044E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	hhh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4324	872	WerFault.exe	80

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2044	ipconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
872	hhh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 5072	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	79
PID 4852 wrote to memory of 5072	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	79
PID 4852 wrote to memory of 5072	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	79
PID 4852 wrote to memory of 872	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	80
PID 4852 wrote to memory of 872	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	80
PID 4852 wrote to memory of 872	4852	a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe	80
PID 872 wrote to memory of 2044	872	hhh.exe	82
PID 872 wrote to memory of 2044	872	hhh.exe	82
PID 872 wrote to memory of 2044	872	hhh.exe	82

C:\Users\Admin\AppData\Local\Temp\a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe
"C:\Users\Admin\AppData\Local\Temp\a17ec5e62cf5470c57644c416fda98054c652453df9a4c3024f532b32b7ef467.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\hhh.exe
  "C:\Users\Admin\AppData\Local\Temp\hhh.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1128
    3⤵
    - Program crash
    PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 872 -ip 872
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhh.exe

Filesize
520KB

MD5
4106a756fd5c3b0e731e39765f3a89ca

SHA1
63d829e5186071111395f18e4c5e7e23a2e7e13e

SHA256
a42a912a4de5b0a4c0f95b945e9607a8315934cda0b75fcc16acb9ce800336c8

SHA512
4308ead0097344e3877fb0bca427167df113e9bacd63cd67f59a6b099bdd474f882ef7413972888a51eb07419a6d22a8be3562645ddecd8dfbe2792120d70fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhh.exe

Filesize
520KB

MD5
4106a756fd5c3b0e731e39765f3a89ca

SHA1
63d829e5186071111395f18e4c5e7e23a2e7e13e

SHA256
a42a912a4de5b0a4c0f95b945e9607a8315934cda0b75fcc16acb9ce800336c8

SHA512
4308ead0097344e3877fb0bca427167df113e9bacd63cd67f59a6b099bdd474f882ef7413972888a51eb07419a6d22a8be3562645ddecd8dfbe2792120d70fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
178KB

MD5
df04ccd45bfe2bdf0bcbb163ec5bc9d1

SHA1
012e3606e1275a52b14e9f89c02d8d1a9831eb1d

SHA256
7b36538323cec0b6512d2548ba3d164a3d80e47a67156344949ae33b4f68921f

SHA512
3f7323f4391a805ef4768beb47ee33c1d6a751351adbbf1b6c4d7b006bf48dca8ac7d7c87fb09eb7eb29b4d4251648bbd78ad84733001c357c9a87d831d0ae67

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
178KB

MD5
df04ccd45bfe2bdf0bcbb163ec5bc9d1

SHA1
012e3606e1275a52b14e9f89c02d8d1a9831eb1d

SHA256
7b36538323cec0b6512d2548ba3d164a3d80e47a67156344949ae33b4f68921f

SHA512
3f7323f4391a805ef4768beb47ee33c1d6a751351adbbf1b6c4d7b006bf48dca8ac7d7c87fb09eb7eb29b4d4251648bbd78ad84733001c357c9a87d831d0ae67

Download Submit
memory/5072-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5072-142-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads