b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840

General

Target

b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe
Size

880KB
MD5

558fb4e70e56f0b4508138c83193f3b1
SHA1

2a060a5bc069f368d25c4108bab51fa0041457f4
SHA256

b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840
SHA512

f2c614fe5c8de95a07ddf3e657565310dcc1411f08656739612e9a809bcb9ab7c039dc894c4d2b084defbfb7a49c4f7f2afb15ba08453c926b22a624d7e73b34
SSDEEP

12288:nsaY8rzBtQmJa6IurrRDbT3OqiXLQu7N55FoUgUo+GfYB2zsRVrXxHXhRhZvqpHt:B/rzDfjIurrROqiXtAUum2g3Ju78Okt6

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ÅÜÅÜÐý·ç 6.8.exeÄ¾Âí.exeÄ¾Âí.exe

pid process

3084 ÅÜÅÜÐý·ç 6.8.exe
3896 Ä¾Âí.exe
4308 Ä¾Âí.exe

pid	process
3084	ÅÜÅÜÐý·ç 6.8.exe
3896	Ä¾Âí.exe
4308	Ä¾Âí.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1436-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1436-133-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe	upx
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe	upx
behavioral2/memory/3084-137-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral2/memory/1436-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3084-149-0x0000000000400000-0x000000000059C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Ä¾Âí.exe

description pid process target process

PID 3896 set thread context of 4308 3896 Ä¾Âí.exe Ä¾Âí.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1108 4308 WerFault.exe Ä¾Âí.exe

description	pid	process	target process
PID 3896 set thread context of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe

pid	pid_target	process	target process
1108	4308	WerFault.exe	Ä¾Âí.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

ÅÜÅÜÐý·ç 6.8.exe

description	pid	process
Token: 1	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeCreateTokenPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeAssignPrimaryTokenPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeLockMemoryPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeIncreaseQuotaPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeMachineAccountPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeTcbPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeSecurityPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeTakeOwnershipPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeLoadDriverPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeSystemProfilePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeSystemtimePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeProfSingleProcessPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeIncBasePriorityPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeCreatePagefilePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeCreatePermanentPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeBackupPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeRestorePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeShutdownPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeDebugPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeAuditPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeSystemEnvironmentPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeChangeNotifyPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeRemoteShutdownPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeUndockPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeSyncAgentPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeEnableDelegationPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeManageVolumePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeImpersonatePrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: SeCreateGlobalPrivilege	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: 31	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: 32	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: 33	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: 34	3084	ÅÜÅÜÐý·ç 6.8.exe
Token: 35	3084	ÅÜÅÜÐý·ç 6.8.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ÅÜÅÜÐý·ç 6.8.exe

pid process

3084 ÅÜÅÜÐý·ç 6.8.exe
3084 ÅÜÅÜÐý·ç 6.8.exe
3084 ÅÜÅÜÐý·ç 6.8.exe
3084 ÅÜÅÜÐý·ç 6.8.exe

pid	process
3084	ÅÜÅÜÐý·ç 6.8.exe
3084	ÅÜÅÜÐý·ç 6.8.exe
3084	ÅÜÅÜÐý·ç 6.8.exe
3084	ÅÜÅÜÐý·ç 6.8.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exeÄ¾Âí.exe

description	pid	process	target process
PID 1436 wrote to memory of 3084	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	ÅÜÅÜÐý·ç 6.8.exe
PID 1436 wrote to memory of 3084	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	ÅÜÅÜÐý·ç 6.8.exe
PID 1436 wrote to memory of 3084	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	ÅÜÅÜÐý·ç 6.8.exe
PID 1436 wrote to memory of 3896	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	Ä¾Âí.exe
PID 1436 wrote to memory of 3896	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	Ä¾Âí.exe
PID 1436 wrote to memory of 3896	1436	b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe	Ä¾Âí.exe
PID 3896 wrote to memory of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe
PID 3896 wrote to memory of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe
PID 3896 wrote to memory of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe
PID 3896 wrote to memory of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe
PID 3896 wrote to memory of 4308	3896	Ä¾Âí.exe	Ä¾Âí.exe

C:\Users\Admin\AppData\Local\Temp\b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe
"C:\Users\Admin\AppData\Local\Temp\b91a9aff36f6e8d2c78d1fc2c3fa742d174d56f56e282f04468c90538f54b840.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
"C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
3⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 80
4⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4308 -ip 4308
1⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\Ä¾Âí.exe
Filesize
5.8MB

MD5
eaaa7d585fe518826886961768b03d25

SHA1
ffbb1af5deab0b416d2d8db1f2f18ac0c1093b7a

SHA256
e3f3c0bf1db79593daf1d579ba95fb2f655e59c889d233e742c2c23e7b7a71db

SHA512
8e3c1bf285d98eb3718402df3467332055713e0d2de5c3748bcae78815e72657d2c143148a22ac722ee26831740981acc2515f6d2da2e0f4d982ff29fa1bcf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe
Filesize
767KB

MD5
c3c4d07e961e8c81049da6e8bd344f3c

SHA1
3dddadc9dfeaf977b1ca1d8f2756ad5873b80fd3

SHA256
0abbad458fcc22f9c5c3e7a41c8fdc6680733b71bb898b9654f8a186acf96b45

SHA512
90d0d31c13723b5819c38124dc1bce45bf719de38e0b19a59aff318072a956b5fd8ee8ed4494e7f20baee4b25ebe69d9cd75e134beb030de5c74face4947ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\ÅÜÅÜÐý·ç 6.8.exe
Filesize
767KB

MD5
c3c4d07e961e8c81049da6e8bd344f3c

SHA1
3dddadc9dfeaf977b1ca1d8f2756ad5873b80fd3

SHA256
0abbad458fcc22f9c5c3e7a41c8fdc6680733b71bb898b9654f8a186acf96b45

SHA512
90d0d31c13723b5819c38124dc1bce45bf719de38e0b19a59aff318072a956b5fd8ee8ed4494e7f20baee4b25ebe69d9cd75e134beb030de5c74face4947ad4e

Download Submit
memory/1436-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1436-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1436-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3084-137-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3084-134-0x0000000000000000-mapping.dmp

Download
memory/3084-149-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3896-138-0x0000000000000000-mapping.dmp

Download
memory/3896-142-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/3896-147-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/4308-143-0x0000000000000000-mapping.dmp

Download
memory/4308-144-0x000000000001B000-0x000000000002A000-memory.dmp

Filesize
60KB

Download
memory/4308-145-0x000000000001B000-0x0000000000022382-memory.dmp

Filesize
28KB

Download
memory/4308-148-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads