1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e

General

Target

1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
Size

3.1MB
MD5

6460c9956bd90b9fc83d318aac0c72f7
SHA1

130d7cd6d44234a2c8b78bb10a592539ecae0703
SHA256

1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e
SHA512

d33c712830bd31d16eb7aba30eaf331cef6ac6a5b06c5be0180411caa5828e147db8379991431cb2098ee5ff00437cc2c7e333930df215b2856d5b30da768603
SSDEEP

49152:T0T9a9PH8kmpnUYBTGpax+5jrdewURNGzGo5KG+jLcasY6DwOBfrnvV7UeWtPNZ:TQofrJuTGKnwURNGUnjQYiwOBpIeWHZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Loads dropped DLL 1 IoCs

pid	Process
4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
File opened for modification	C:\Windows\assembly	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
File created	C:\Windows\assembly\Desktop.ini	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4160	2324	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	86
PID 2324 wrote to memory of 4160	2324	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	86
PID 2324 wrote to memory of 4160	2324	1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe	86

C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
"C:\Users\Admin\AppData\Local\Temp\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe
  "C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe.log

Filesize
312B

MD5
d4b49ac61a6cac139f96450777c10204

SHA1
92089d33442c9e2eaceac3ed8db6a7168f938e5a

SHA256
807bdfa62a4312030c1ed54981674cff77f6108e6b4957754cabb810098ce082

SHA512
eb13a0e7f0d4b44db7e8d0625ba1ee6a036083c39c24b85493d3ec9074ada03eb7003b97bd92ed5f2baaf26295a4690303332593c4776e75da5bc3b6adbc3ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Filesize
3.0MB

MD5
7d590bccd10a91278a1d0c1db1e6886f

SHA1
b95b286fa7ba1457bb7a93b06761177e84b0c8e2

SHA256
cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155

SHA512
00a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\1aac2e87d6fe183c5e47a1ed87a74a9617cdd07202c28dfa3e1996729c2bab8e.exe

Filesize
3.0MB

MD5
7d590bccd10a91278a1d0c1db1e6886f

SHA1
b95b286fa7ba1457bb7a93b06761177e84b0c8e2

SHA256
cb17a248e6356ce4b8ee44f6eb567d7a16f093dbe2706928861d0920825d4155

SHA512
00a9acda8e00c00c3e89bf5aa7de555dfd37c41c93f260114f07376dc586b5dc8feaa4712a0b15e335ebb31d550856c812f00683cbc9a6b94b8dbab0c89f88d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswdzyhk.gtv\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
memory/2324-141-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/2324-134-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/2324-133-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4160-146-0x0000000002A10000-0x0000000002A4D000-memory.dmp

Filesize
244KB

Download
memory/4160-149-0x00000000737A0000-0x00000000737FB000-memory.dmp

Filesize
364KB

Download
memory/4160-139-0x0000000075210000-0x0000000075425000-memory.dmp

Filesize
2.1MB

Download
memory/4160-144-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4160-145-0x0000000000B80000-0x0000000000C70000-memory.dmp

Filesize
960KB

Download
memory/4160-138-0x0000000000B80000-0x0000000000C70000-memory.dmp

Filesize
960KB

Download
memory/4160-143-0x0000000076800000-0x0000000076DB3000-memory.dmp

Filesize
5.7MB

Download
memory/4160-147-0x0000000076F90000-0x0000000077211000-memory.dmp

Filesize
2.5MB

Download
memory/4160-148-0x0000000076EA0000-0x0000000076F83000-memory.dmp

Filesize
908KB

Download
memory/4160-140-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4160-150-0x0000000072C00000-0x0000000072EDE000-memory.dmp

Filesize
2.9MB

Download
memory/4160-151-0x0000000072F80000-0x0000000072F88000-memory.dmp

Filesize
32KB

Download
memory/4160-153-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/4160-154-0x0000000000B80000-0x0000000000C70000-memory.dmp

Filesize
960KB

Download
memory/4160-155-0x0000000002A10000-0x0000000002A4D000-memory.dmp

Filesize
244KB

Download
memory/4160-156-0x0000000072F80000-0x0000000072F88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing