b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603

General

Target

b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
Size

1.7MB
MD5

127620f44eca43b9f9265b7fd3edf9f2
SHA1

d59560df3f4b25e02740f7ac947c1e5fd7b5b06b
SHA256

b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603
SHA512

fa40da9966bff040483290a460455cbf697198cba3cb56db97d3f61149d10aa00f20c5e9e1d2e25dd2749f31f380a057250756811ef66f26a85027ae60695660
SSDEEP

49152:HE5YpCQJIFa3LtQ0SSvliWMZ6VrzjWiGntyBZTMudY60:k6pDIY5ditZiOiO0BZTMv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3940	XWJ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe

Loads dropped DLL 2 IoCs

pid	Process
3940	XWJ.exe
3940	XWJ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	XWJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XWJ Start = "C:\\Windows\\SysWOW64\\KFNFIV\\XWJ.exe"	XWJ.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KFNFIV\XWJ.exe	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
File created	C:\Windows\SysWOW64\KFNFIV\XWJ.00	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
File created	C:\Windows\SysWOW64\KFNFIV\XWJ.01	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
File created	C:\Windows\SysWOW64\KFNFIV\XWJ.02	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
File opened for modification	C:\Windows\SysWOW64\KFNFIV\	XWJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	XWJ.exe
3940	XWJ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3940	XWJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3940	XWJ.exe
3940	XWJ.exe
3940	XWJ.exe
3940	XWJ.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3940	4568	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe	80
PID 4568 wrote to memory of 3940	4568	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe	80
PID 4568 wrote to memory of 3940	4568	b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe	80

C:\Users\Admin\AppData\Local\Temp\b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe
"C:\Users\Admin\AppData\Local\Temp\b4fa78e39b79f3391c2db675066676f8fd79525eabd412a5d382b99de31d7603.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\KFNFIV\XWJ.exe
  "C:\Windows\system32\KFNFIV\XWJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KFNFIV\XWJ.00

Filesize
2KB

MD5
e284ba0dc340e749eeec9d0dae46d35c

SHA1
4395a871d444287b023126748ad43bf6d94b32df

SHA256
c89257f5d4bba462d254f724d0a51a2dc17043426cdfeadf8e14e5fc7f5a1652

SHA512
46ff7154b631f5c49a098db96f51c0a9c34928b5e09e0e05523bdf6da7f2ae4b9f925b875f82c90dbc223ee42936b98b4ac3fd93a25ac67e378d8f486a066473

Download Submit
C:\Windows\SysWOW64\KFNFIV\XWJ.01

Filesize
78KB

MD5
8942289fe2d65d66fb8bbbd8f5f1bd5b

SHA1
4ed44ef8ae253d99353c3d22abf8da9a2e708580

SHA256
7ce1a145642edf185fbabb5852f779a4968a21eeaebdbac11ab714561a259ff1

SHA512
7e535f5b29409bf2a4a91409dd6695c81eaa60444f50ec95717850dae3867ebd4733152f5c2a17c95ac73254e1b0d819f02a3038abc22bbe5fde35b92c8d56eb

Download Submit
C:\Windows\SysWOW64\KFNFIV\XWJ.01

Filesize
78KB

MD5
8942289fe2d65d66fb8bbbd8f5f1bd5b

SHA1
4ed44ef8ae253d99353c3d22abf8da9a2e708580

SHA256
7ce1a145642edf185fbabb5852f779a4968a21eeaebdbac11ab714561a259ff1

SHA512
7e535f5b29409bf2a4a91409dd6695c81eaa60444f50ec95717850dae3867ebd4733152f5c2a17c95ac73254e1b0d819f02a3038abc22bbe5fde35b92c8d56eb

Download Submit
C:\Windows\SysWOW64\KFNFIV\XWJ.01

Filesize
78KB

MD5
8942289fe2d65d66fb8bbbd8f5f1bd5b

SHA1
4ed44ef8ae253d99353c3d22abf8da9a2e708580

SHA256
7ce1a145642edf185fbabb5852f779a4968a21eeaebdbac11ab714561a259ff1

SHA512
7e535f5b29409bf2a4a91409dd6695c81eaa60444f50ec95717850dae3867ebd4733152f5c2a17c95ac73254e1b0d819f02a3038abc22bbe5fde35b92c8d56eb

Download Submit
C:\Windows\SysWOW64\KFNFIV\XWJ.exe

Filesize
2.1MB

MD5
3710bdb7e3ba37a6773e2f9920bb0d94

SHA1
7a7af1fb0e4f664da2a2fa4fa797799427bdee9c

SHA256
4cad85ce83720349fa63db46c3d741cd0c250e8c57e32fdd0c31c48e241f4c4f

SHA512
a2d7b73688a3aa0e60748c6280407b4365a845d2c7f1935a737e6d8bfe3346b5d396db46a20a3c86c06f36fbb76c3b967145e24a4e5ca24ef06b60104bc32237

Download Submit
C:\Windows\SysWOW64\KFNFIV\XWJ.exe

Filesize
2.1MB

MD5
3710bdb7e3ba37a6773e2f9920bb0d94

SHA1
7a7af1fb0e4f664da2a2fa4fa797799427bdee9c

SHA256
4cad85ce83720349fa63db46c3d741cd0c250e8c57e32fdd0c31c48e241f4c4f

SHA512
a2d7b73688a3aa0e60748c6280407b4365a845d2c7f1935a737e6d8bfe3346b5d396db46a20a3c86c06f36fbb76c3b967145e24a4e5ca24ef06b60104bc32237

Download Submit
memory/3940-141-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/3940-133-0x0000000000000000-mapping.dmp

Download
memory/3940-142-0x00000000025C1000-0x00000000025CF000-memory.dmp

Filesize
56KB

Download
memory/3940-143-0x0000000000400000-0x000000000064C000-memory.dmp

Filesize
2.3MB

Download
memory/3940-144-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/4568-136-0x0000000000910000-0x0000000000AC8000-memory.dmp

Filesize
1.7MB

Download
memory/4568-132-0x0000000000910000-0x0000000000AC8000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing