ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a

General

Target

ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe
Size

2.1MB
MD5

ab59ba909a34ec973045dcad6e867276
SHA1

dd538f5e0847a245a6b3256983aa3cf2677b137e
SHA256

ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a
SHA512

3206967d91933ef2b693df5d74c656162db2aeda139e32809743be39f94f52c5c4407a7f911b4df31c327059ef905cb811e3ad8ed62aea183acd71ab805f42ae
SSDEEP

24576:hfAqOavfPNman8jarwLeXfB0yfM8GUS/heII8oyn6yKXbs1x3/rcpBpnuq9zq4Mq:hua82rNJKU0n8Xg1V/yrBXP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
540	flashplayer.exe
2456	serviceupda.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
5060	taskkill.exe
3840	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
540	flashplayer.exe
540	flashplayer.exe
540	flashplayer.exe
540	flashplayer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4544	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	87
PID 5076 wrote to memory of 4544	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	87
PID 5076 wrote to memory of 4544	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	87
PID 5076 wrote to memory of 1340	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	89
PID 5076 wrote to memory of 1340	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	89
PID 5076 wrote to memory of 1340	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	89
PID 4544 wrote to memory of 5060	4544	cmd.exe	91
PID 4544 wrote to memory of 5060	4544	cmd.exe	91
PID 4544 wrote to memory of 5060	4544	cmd.exe	91
PID 1340 wrote to memory of 3840	1340	cmd.exe	92
PID 1340 wrote to memory of 3840	1340	cmd.exe	92
PID 1340 wrote to memory of 3840	1340	cmd.exe	92
PID 5076 wrote to memory of 540	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	94
PID 5076 wrote to memory of 540	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	94
PID 5076 wrote to memory of 540	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	94
PID 5076 wrote to memory of 2456	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	95
PID 5076 wrote to memory of 2456	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	95
PID 5076 wrote to memory of 2456	5076	ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe	95

C:\Users\Admin\AppData\Local\Temp\ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe
"C:\Users\Admin\AppData\Local\Temp\ee1e2823184ac4e3549f8774db700170ea763a2fde7ddcb4379837ed2487463a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im serviceupda.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im serviceupda.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im flashplayer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im flashplayer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3840
- C:\Users\Admin\AppData\Local\Temp\flashplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\flashplayer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:540
- C:\Users\Admin\AppData\Local\Temp\serviceupda.exe
  "C:\Users\Admin\AppData\Local\Temp\serviceupda.exe"
  2⤵
  - Executes dropped EXE
  PID:2456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flashplayer.exe

Filesize
1.1MB

MD5
96c436d7e2b49f213a983cb3e648b04d

SHA1
84ad2263701b370caa15ec6142fa81b2db3342c2

SHA256
22225caeedc7e46ccc98af1c6622c626f4d75a93b6a9976a2eed11b429e59188

SHA512
095b62d0288a8be544a989f3949b7afe5415475e8acb379bfc9b31d74a0cecdee81433a84496853edc155cd96df9fe1c3524beaf3decc95b343aafc29ae6c8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\flashplayer.exe

Filesize
1.1MB

MD5
96c436d7e2b49f213a983cb3e648b04d

SHA1
84ad2263701b370caa15ec6142fa81b2db3342c2

SHA256
22225caeedc7e46ccc98af1c6622c626f4d75a93b6a9976a2eed11b429e59188

SHA512
095b62d0288a8be544a989f3949b7afe5415475e8acb379bfc9b31d74a0cecdee81433a84496853edc155cd96df9fe1c3524beaf3decc95b343aafc29ae6c8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\serviceupda.exe

Filesize
360KB

MD5
a6719ac8e069f3aa4abe2a087a3dd317

SHA1
cffd1a8252f418d6d5c8ea3fc36295ca1dd4edcb

SHA256
ec187fa1b5e8322ee8f0638c5bc8def4d231b2525d5ec47bf6ba5112b31e8866

SHA512
30bfcd2956090505232817b620a78264576bd6208713cd8cdf645e873bf115ffb6e3fe1df8d31fbe5b54ef7e0d8dec485d621671026bb9d93c9d9589773c10db

Download Submit
C:\Users\Admin\AppData\Local\Temp\serviceupda.exe

Filesize
360KB

MD5
a6719ac8e069f3aa4abe2a087a3dd317

SHA1
cffd1a8252f418d6d5c8ea3fc36295ca1dd4edcb

SHA256
ec187fa1b5e8322ee8f0638c5bc8def4d231b2525d5ec47bf6ba5112b31e8866

SHA512
30bfcd2956090505232817b620a78264576bd6208713cd8cdf645e873bf115ffb6e3fe1df8d31fbe5b54ef7e0d8dec485d621671026bb9d93c9d9589773c10db

Download Submit
memory/540-139-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download
memory/540-143-0x0000000000D40000-0x0000000000D43000-memory.dmp

Filesize
12KB

Download
memory/540-144-0x0000000000D50000-0x000000000116C000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing