cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5

General

Target

cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe
Size

160KB
MD5

9b3f6acf3d79db09c1252aeabfd72318
SHA1

cd3de7e47c3469354af34cf96ecbbe0633f66aeb
SHA256

cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5
SHA512

c2722a62692a79344bc9b6482460b46475b5780482577077426ffd3b749b7c840389efa89f49801462dd0bb4409a0ae60828cb466729f6e5bca327b77dd601f0
SSDEEP

3072:UzNWMKKRZYchObK91C8sV6Xmoo4LEpYU4JkYpmU13OfsG7Rg4NC+rt:UZuuObR8sVImcyYU4JdmW+0IqGt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1636	Rserver.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\qmgr.dll"	Rserver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe

Loads dropped DLL 4 IoCs

pid	Process
1636	Rserver.exe
1636	Rserver.exe
2364	svchost.exe
5040	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qmgr.dll	Rserver.exe
File created	C:\Windows\SysWOW64\qmgr.dll	Rserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4684	2364	WerFault.exe	83
560	5040	WerFault.exe	92

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	Rserver.exe
1636	Rserver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1636	4316	cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe	81
PID 4316 wrote to memory of 1636	4316	cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe	81
PID 4316 wrote to memory of 1636	4316	cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe	81
PID 1636 wrote to memory of 1336	1636	Rserver.exe	82
PID 1636 wrote to memory of 1336	1636	Rserver.exe	82
PID 1636 wrote to memory of 1336	1636	Rserver.exe	82

C:\Users\Admin\AppData\Local\Temp\cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe
"C:\Users\Admin\AppData\Local\Temp\cf73338e10c9a2e314963409241a7a3595b5e21a982b5de92ea8c808609234f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rserver.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rserver.exe"
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\Notepad.exe
    Notepad.exe
    3⤵
    PID:1336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 512
  2⤵
  - Program crash
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364
1⤵
PID:2020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p -s BITS
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 504
  2⤵
  - Program crash
  PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5040 -ip 5040
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rserver.exe

Filesize
141KB

MD5
6ad7a8032e6a2611e5c9cc939699094b

SHA1
73545f23b13c3a57be54ffaabd2dff243c4febcd

SHA256
26a17ae4b5935a3406134300701276e3e099ed4aba070ad3c40bbd0f2ad6473d

SHA512
874dd2687a5a863a130c47097233fd2a07a1894c3dc8903d48d414d41f3dc99f5b7a8eaf62b5bea0243ed9dde524e21aed7af43246bb4ce1e69210abda9781e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Rserver.exe

Filesize
141KB

MD5
6ad7a8032e6a2611e5c9cc939699094b

SHA1
73545f23b13c3a57be54ffaabd2dff243c4febcd

SHA256
26a17ae4b5935a3406134300701276e3e099ed4aba070ad3c40bbd0f2ad6473d

SHA512
874dd2687a5a863a130c47097233fd2a07a1894c3dc8903d48d414d41f3dc99f5b7a8eaf62b5bea0243ed9dde524e21aed7af43246bb4ce1e69210abda9781e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dll

Filesize
123KB

MD5
064492a623a527385b38358ea0fe679d

SHA1
0fe86549ca422fe5bf1ba8bc9926f7a9b72c99ba

SHA256
300b0e3883b87b1d987a5a26fe760bdac3768ec9a2afd85f0b9567dfa9f7ea0c

SHA512
a5e034d5eff82d35f5bcc8fe0f8bd79755b27ca63b413d863acc6d622b7fe8d04823abdf3df580256356390d07be44389df9598da11811ff6d3299734264b6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.dll

Filesize
123KB

MD5
064492a623a527385b38358ea0fe679d

SHA1
0fe86549ca422fe5bf1ba8bc9926f7a9b72c99ba

SHA256
300b0e3883b87b1d987a5a26fe760bdac3768ec9a2afd85f0b9567dfa9f7ea0c

SHA512
a5e034d5eff82d35f5bcc8fe0f8bd79755b27ca63b413d863acc6d622b7fe8d04823abdf3df580256356390d07be44389df9598da11811ff6d3299734264b6fa

Download Submit
C:\Windows\SysWOW64\qmgr.dll

Filesize
123KB

MD5
064492a623a527385b38358ea0fe679d

SHA1
0fe86549ca422fe5bf1ba8bc9926f7a9b72c99ba

SHA256
300b0e3883b87b1d987a5a26fe760bdac3768ec9a2afd85f0b9567dfa9f7ea0c

SHA512
a5e034d5eff82d35f5bcc8fe0f8bd79755b27ca63b413d863acc6d622b7fe8d04823abdf3df580256356390d07be44389df9598da11811ff6d3299734264b6fa

Download Submit
C:\Windows\SysWOW64\qmgr.dll

Filesize
123KB

MD5
064492a623a527385b38358ea0fe679d

SHA1
0fe86549ca422fe5bf1ba8bc9926f7a9b72c99ba

SHA256
300b0e3883b87b1d987a5a26fe760bdac3768ec9a2afd85f0b9567dfa9f7ea0c

SHA512
a5e034d5eff82d35f5bcc8fe0f8bd79755b27ca63b413d863acc6d622b7fe8d04823abdf3df580256356390d07be44389df9598da11811ff6d3299734264b6fa

Download Submit
\??\c:\windows\SysWOW64\qmgr.dll

Filesize
123KB

MD5
064492a623a527385b38358ea0fe679d

SHA1
0fe86549ca422fe5bf1ba8bc9926f7a9b72c99ba

SHA256
300b0e3883b87b1d987a5a26fe760bdac3768ec9a2afd85f0b9567dfa9f7ea0c

SHA512
a5e034d5eff82d35f5bcc8fe0f8bd79755b27ca63b413d863acc6d622b7fe8d04823abdf3df580256356390d07be44389df9598da11811ff6d3299734264b6fa

Download Submit
memory/1636-138-0x0000000002020000-0x0000000002044000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing