d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68

General

Target

d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
Size

279KB
MD5

6e0a8f09481a82dbe5d5bc54c03f6817
SHA1

9c3c7fa3018dc175920689264abdd43b894b787b
SHA256

d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68
SHA512

4ecfed5dc02524eae7b885f7e4b86578e3579f06b7ee4fe650dd19b54dbf499202e1a216b700ad6559460de7b7c35207816b9d439302420ab7ced1f755581fe6
SSDEEP

6144:HY/XgvZX4NeCpv8WjKQ5RkuSwfi3JMA7gYUR5KrGyIR:+I4Nhp6Gn+JMM4RcmR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1900	svchost.exe
4196	Q1.exe
8	Q2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tDev1lServer.exe = "tDev1lServer.exe"	Q1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\tDev1lServer.exe	Q1.exe
File opened for modification	C:\Windows\system32\tDev1lServer.exe	Q1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4596	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4196	Q1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1900	2944	d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe	85
PID 2944 wrote to memory of 1900	2944	d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe	85
PID 2944 wrote to memory of 448	2944	d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe	86
PID 2944 wrote to memory of 448	2944	d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe	86
PID 448 wrote to memory of 4596	448	cmd.exe	88
PID 448 wrote to memory of 4596	448	cmd.exe	88
PID 1900 wrote to memory of 4196	1900	svchost.exe	89
PID 1900 wrote to memory of 4196	1900	svchost.exe	89
PID 1900 wrote to memory of 8	1900	svchost.exe	90
PID 1900 wrote to memory of 8	1900	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe
"C:\Users\Admin\AppData\Local\Temp\d0e5607871c00ee8d7b30ec8d071c88577db1c5a575b5da9df6011f5a137ac68.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Q1.exe
    "C:\Users\Admin\AppData\Local\Temp\Q1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4196
- - C:\Users\Admin\AppData\Local\Temp\Q2.exe
    "C:\Users\Admin\AppData\Local\Temp\Q2.exe"
    3⤵
    - Executes dropped EXE
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\mUpdate.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\system32\taskkill.exe
    TASKKILL /F /T /IM My
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Q1.exe

Filesize
101KB

MD5
5f89b2186a30d75382f01deae3fcb50b

SHA1
aa769c71244db023ba88d58f5ca0dd80f5885be5

SHA256
b42aa0159a233c13c7b0a1ef028f2430dc3161be9b58675a69ddb079bdb60fb4

SHA512
fea3d8d5af91f424462ed25cbe7e2c92b5f14b837649fe5d6e2c8717d727ba1cd9a7358c2146a17213118cf8209c45c58cb38d33728e95fc12e3d16ea7568fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1.exe

Filesize
101KB

MD5
5f89b2186a30d75382f01deae3fcb50b

SHA1
aa769c71244db023ba88d58f5ca0dd80f5885be5

SHA256
b42aa0159a233c13c7b0a1ef028f2430dc3161be9b58675a69ddb079bdb60fb4

SHA512
fea3d8d5af91f424462ed25cbe7e2c92b5f14b837649fe5d6e2c8717d727ba1cd9a7358c2146a17213118cf8209c45c58cb38d33728e95fc12e3d16ea7568fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q2.exe

Filesize
43KB

MD5
8b77c2c0143d83ee6e0f1e039713e7fd

SHA1
806a3adba6bf775e22bd1a9c0d533f61053a1bcb

SHA256
3ca4c9df68cd22d87934a1835d2eccbcafc306b06626a812ae26ae3353eaf9fd

SHA512
d893ca27983a82869d1a38e2ff6d667be5096f5229cd72f4fc9e3aedf32f5ecbd8e0d7c08a132024f274a02912dbf91ca5975329f9d8ff7891080b4556fa2341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q2.exe

Filesize
43KB

MD5
8b77c2c0143d83ee6e0f1e039713e7fd

SHA1
806a3adba6bf775e22bd1a9c0d533f61053a1bcb

SHA256
3ca4c9df68cd22d87934a1835d2eccbcafc306b06626a812ae26ae3353eaf9fd

SHA512
d893ca27983a82869d1a38e2ff6d667be5096f5229cd72f4fc9e3aedf32f5ecbd8e0d7c08a132024f274a02912dbf91ca5975329f9d8ff7891080b4556fa2341

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUpdate.bat

Filesize
125B

MD5
e4a13d0ff2d91af41346649fcfcdd95c

SHA1
307c3714aeac925eed8a8a1a4a08ec4e3c1ec7ec

SHA256
8fcf29def1748dc8b696e036154d932adbc34237691d739bff405547f664fe1d

SHA512
1127652d8c69b2e741d68cab8473413098471bc2cb2ce7a9737ef7639017c6fac0f1c646ef821dea391ec78bccd8b6277e7b3c57261dcb7005076bdafdb68c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
160KB

MD5
2a0de66faa401c5610e4089e80679646

SHA1
ba481aca63ff54a45e6fa6046443566bbca9f6c7

SHA256
dcd076ac872aa0bbf01fe235920de6b7178fc2c7aa1bc45a81826d45a5a021ad

SHA512
4e02fd6d7525e7d5c6a75bd5f797e38814d6572709954edb9783dce46ae05de716c7904ce148a8edef5d36dbc925e9d88f71362db1ba8bfe0712e5e36cb701b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
160KB

MD5
2a0de66faa401c5610e4089e80679646

SHA1
ba481aca63ff54a45e6fa6046443566bbca9f6c7

SHA256
dcd076ac872aa0bbf01fe235920de6b7178fc2c7aa1bc45a81826d45a5a021ad

SHA512
4e02fd6d7525e7d5c6a75bd5f797e38814d6572709954edb9783dce46ae05de716c7904ce148a8edef5d36dbc925e9d88f71362db1ba8bfe0712e5e36cb701b0

Download Submit
memory/8-147-0x00007FFA10590000-0x00007FFA10FC6000-memory.dmp

Filesize
10.2MB

Download
memory/1900-136-0x00007FFA10590000-0x00007FFA10FC6000-memory.dmp

Filesize
10.2MB

Download
memory/2944-132-0x00007FFA10590000-0x00007FFA10FC6000-memory.dmp

Filesize
10.2MB

Download
memory/4196-144-0x00007FFA10590000-0x00007FFA10FC6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing