b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

General

Target

b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
Size

1.1MB
MD5

b76353f4f915d958df5617ac8c40ea67
SHA1

f565bad20741158afa83d4019ca9527afa1dbc64
SHA256

b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73
SHA512

02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6
SSDEEP

24576:Etz8aJoW5Q4FA1If3x1bDPTnA52qmJwlpvj1ifNhLWp:iAA3XbPsIfNhLM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	Update.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Update.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tesla\files\	Update.exe
File created	C:\Program Files (x86)\bearshare\shared\	Update.exe
File created	C:\Program Files (x86)\grokster\my grokster\	Update.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\	Update.exe
File created	C:\Program Files (x86)\limewire\shared\	Update.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\	Update.exe
File created	C:\Program Files (x86)\icq\shared folder\	Update.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\	Update.exe
File created	C:\Program Files (x86)\winmx\shared\	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	Update.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
540	Update.exe
540	Update.exe
540	Update.exe
540	Update.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3228	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	85
PID 4976 wrote to memory of 3228	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	85
PID 4976 wrote to memory of 3228	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	85
PID 4976 wrote to memory of 540	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	87
PID 4976 wrote to memory of 540	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	87
PID 4976 wrote to memory of 540	4976	b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe	87
PID 540 wrote to memory of 1476	540	Update.exe	88
PID 540 wrote to memory of 1476	540	Update.exe	88
PID 540 wrote to memory of 1476	540	Update.exe	88
PID 540 wrote to memory of 3316	540	Update.exe	89
PID 540 wrote to memory of 3316	540	Update.exe	89
PID 540 wrote to memory of 3316	540	Update.exe	89

C:\Users\Admin\AppData\Local\Temp\b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe
"C:\Users\Admin\AppData\Local\Temp\b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Melt.bat" "
  2⤵
  PID:3228
- C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe
  "C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Autorun.vbs"
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Taskmanager.bat" "
    3⤵
    PID:3316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Melt.bat

Filesize
254B

MD5
878754cdcb4cd200d150e64f8e3fc5a7

SHA1
bdd7554625c6f951d734062d1ceb387425f8f6da

SHA256
c28feedbcf615c2f915b1944538203027bffa6c84ffab3d571c1392456c37675

SHA512
045a84e22adb94fc4b22d34ecec6a010d7b4e9ec501e42a37abdb6098bd1c933f91b66ac1b7ea11f380f025a10c72e9d59c505e1b9e4af1d4a8f87e241e7e108

Download Submit
C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Secure-Soft Stealer\Update.exe

Filesize
1.1MB

MD5
b76353f4f915d958df5617ac8c40ea67

SHA1
f565bad20741158afa83d4019ca9527afa1dbc64

SHA256
b660ff6d5b64bb31076ff9b5011e819c2a34c4671746f2ebac9167729bcceb73

SHA512
02c2a7e1d2ea6545ab608af8eed4b63c898339008a6b2e1fc6182eef27b1459de938d0edb5642b6187ace92b8ab399a333974e186dddf8357ff850f4b6cfc3b6

Download Submit

Analysis

Sharing