8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d

General

Target

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
Size

168KB
MD5

8e4be2eb83b42225b500ca568d023e9a
SHA1

8ea1f7cd198e9d6c6567444fffd1f0af0f1753f3
SHA256

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d
SHA512

c809d76695b8aad93e6785af453d13ae8ad6f19af175efd134685538c41cab069c8b92ee1b3a210fe31efea067639e68f1a925527cdbd4fedfdb1069eb33c2b3
SSDEEP

3072:5v9cbTFhDHGrwpfwtTsZVQ3zY54tyeh8ZtkEqXJzRzaLrt:5Fcbhhb3p8TAQ3zY54tpqZtkEqZc

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2404 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
2404	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

pid	process
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exenet.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 3500 wrote to memory of 4260	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 3500 wrote to memory of 4260	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 3500 wrote to memory of 4260	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 4260 wrote to memory of 4928	4260	net.exe	net1.exe
PID 4260 wrote to memory of 4928	4260	net.exe	net1.exe
PID 4260 wrote to memory of 4928	4260	net.exe	net1.exe
PID 3500 wrote to memory of 316	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 3500 wrote to memory of 316	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 3500 wrote to memory of 316	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	net.exe
PID 316 wrote to memory of 976	316	net.exe	net1.exe
PID 316 wrote to memory of 976	316	net.exe	net1.exe
PID 316 wrote to memory of 976	316	net.exe	net1.exe
PID 3500 wrote to memory of 3476	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 3476	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 3476	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 2180	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 2180	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 2180	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3476 wrote to memory of 404	3476	cmd.exe	net.exe
PID 3476 wrote to memory of 404	3476	cmd.exe	net.exe
PID 3476 wrote to memory of 404	3476	cmd.exe	net.exe
PID 2180 wrote to memory of 2404	2180	cmd.exe	sc.exe
PID 2180 wrote to memory of 2404	2180	cmd.exe	sc.exe
PID 2180 wrote to memory of 2404	2180	cmd.exe	sc.exe
PID 404 wrote to memory of 4728	404	net.exe	net1.exe
PID 404 wrote to memory of 4728	404	net.exe	net1.exe
PID 404 wrote to memory of 4728	404	net.exe	net1.exe
PID 3500 wrote to memory of 2744	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 2744	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe
PID 3500 wrote to memory of 2744	3500	8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe
"C:\Users\Admin\AppData\Local\Temp\8235712093c3d4d8e6ace925ce65654bb6d68673cfcfb8f3808f40b67bbdf65d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
PID:4928

C:\Windows\SysWOW64\net.exe
net group /domain
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
3⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C net.exe stop foundation
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\net.exe
net.exe stop foundation
3⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop foundation
4⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete foundation
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\sc.exe
sc delete foundation
3⤵
- Launches sc.exe
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\823571~1.EXE >> NUL
2⤵
PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-135-0x0000000000000000-mapping.dmp

Download
memory/404-139-0x0000000000000000-mapping.dmp

Download
memory/976-136-0x0000000000000000-mapping.dmp

Download
memory/2180-138-0x0000000000000000-mapping.dmp

Download
memory/2404-140-0x0000000000000000-mapping.dmp

Download
memory/2744-143-0x0000000000000000-mapping.dmp

Download
memory/3476-137-0x0000000000000000-mapping.dmp

Download
memory/3500-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3500-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4260-132-0x0000000000000000-mapping.dmp

Download
memory/4728-141-0x0000000000000000-mapping.dmp

Download
memory/4928-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads