f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

General

Target

f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
Size

645KB
MD5

eddb82bbad579385c225abd94591b56f
SHA1

27a588a4770aa301546157a3afcd3abe8f8a5c61
SHA256

f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0
SHA512

ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b
SSDEEP

1536:3v+gWn0/aKcTnbrGUfiZN5CfIUQ6rvOgOZlk9I/+kcg3Fteso7oJ9uuaxsp9OiSG:TWuaKcTOMIcvgfRwkjMFNTS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1408	usersint.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7880F99D-BC3G-14DF-89AS-1190DR808E85}	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7880F99D-BC3G-14DF-89AS-1190DR808E85}\StubPath = "C:\\Windows\\system32\\usersint.exe"	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	usersint.exe
1408	usersint.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\usersint.exe	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
File opened for modification	C:\Windows\SysWOW64\usersint.exe	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 4156	1408	usersint.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4884	4156	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	usersint.exe
1408	usersint.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4156	userinit.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1408	1144	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	79
PID 1144 wrote to memory of 1408	1144	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	79
PID 1144 wrote to memory of 1408	1144	f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe	79
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80
PID 1408 wrote to memory of 4156	1408	usersint.exe	80

C:\Users\Admin\AppData\Local\Temp\f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe
"C:\Users\Admin\AppData\Local\Temp\f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\usersint.exe
  "C:\Windows\system32\usersint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\userinit.exe
    "C:\Windows\system32\userinit.exe"
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 12
      4⤵
      Program crash
      PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4156 -ip 4156
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
C:\Windows\SysWOW64\usersint.exe

Filesize
645KB

MD5
eddb82bbad579385c225abd94591b56f

SHA1
27a588a4770aa301546157a3afcd3abe8f8a5c61

SHA256
f2ab7b7a117fbd1776a302ff278ca011fcc2307d85108945b21a08d4984ffdd0

SHA512
ca23e237d3b9fb2ebe82b4451a254db8d89383eee3e30f348f96860ad0dea8a3c1d64bcd7ad7bc573c974b24c884dfbe33e541ac5c73ec677e69dbc6c4589a5b

Download Submit
memory/1144-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1144-132-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1408-140-0x00000000005D0000-0x00000000005F1000-memory.dmp

Filesize
132KB

Download
memory/1408-139-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1408-141-0x00000000005D0000-0x00000000005F1000-memory.dmp

Filesize
132KB

Download
memory/1408-154-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-143-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-146-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-149-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-150-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4156-151-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing