b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2

General

Target

b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Size

560KB
MD5

cc097f39b5675b5170eeaefad2cdb6e5
SHA1

3e6c1af8b7e4df9ee7d90c399da221dbb8194be8
SHA256

b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2
SHA512

3295c6aa1416df26bd3cbf7e0c7a91146e73ac4e8459b102b4fcf6e606c524d4d961fdc25374ac20a4727ea72e1f15e07fd20145f5712af33c4654d77fa8b256
SSDEEP

12288:Y3nZMhJ+ubNJtqyk4YAY+hfOh43nofBD5qGhRDUOOxwROywrE2+:Y3nZqfbvtKfAThc43nYBD1DLTiEt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4688	324ekdown.cam.com
1116	win.exe
4816	mshlp.exe
4992	win32.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	324ekdown.cam.com
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	win.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xvid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mshlp.exe"	win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4536	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4688	1852	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	84
PID 1852 wrote to memory of 4688	1852	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	84
PID 1852 wrote to memory of 4688	1852	b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe	84
PID 4688 wrote to memory of 1116	4688	324ekdown.cam.com	86
PID 4688 wrote to memory of 1116	4688	324ekdown.cam.com	86
PID 4688 wrote to memory of 1116	4688	324ekdown.cam.com	86
PID 1116 wrote to memory of 4816	1116	win.exe	87
PID 1116 wrote to memory of 4816	1116	win.exe	87
PID 1116 wrote to memory of 4816	1116	win.exe	87
PID 1116 wrote to memory of 4992	1116	win.exe	88
PID 1116 wrote to memory of 4992	1116	win.exe	88
PID 1116 wrote to memory of 4992	1116	win.exe	88

C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe
"C:\Users\Admin\AppData\Local\Temp\b615c8e200a9b4dea8925bfbebdea652367a00366eb1415f323362312e122ed2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com
  "C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\win.exe
    "C:\Users\Admin\AppData\Local\Temp\win.exe" -p321
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\mshlp.exe
      "C:\Users\Admin\AppData\Local\Temp\mshlp.exe"
      4⤵
      Executes dropped EXE
      PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\win32.exe
      "C:\Users\Admin\AppData\Local\Temp\win32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\324ekdown.cam.com

Filesize
188KB

MD5
60c022a79dec56847260749dbdb84643

SHA1
978153c84603a4826c292b6af7fdb023b218d9fd

SHA256
2966b49f09a9aa0f166410d7525ec9ac25d30637a14478ff9a2745d4f0a64909

SHA512
4a31726199b5a709a4cb944d70a557638ba97464d11da6000466d1b29c11675b4f211accf41e22118f813202e3070515f5c89bfd31fc5e4e8c50193b47dc06b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshlp.exe

Filesize
49KB

MD5
2afd69b56cf24e5b216e640a979497ee

SHA1
5db3fcba21bbfc45581d09936da33bfce2dcc675

SHA256
81962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522

SHA512
cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshlp.exe

Filesize
49KB

MD5
2afd69b56cf24e5b216e640a979497ee

SHA1
5db3fcba21bbfc45581d09936da33bfce2dcc675

SHA256
81962b9df59eb588973d2888de11cf410f60d7e6e65e5c77b36dd28690fef522

SHA512
cd1139f47d935330abcb2f6402f948d26d6bc94962c0b1a7b9ac5466b6fe8847861d0f7b358f6e2cf7e91bc061e66a9ee795a2c62059b87552106b4bff78ab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
139KB

MD5
dee240d01db48ec0704a4520695db7a9

SHA1
2046c4b30c73734920d10416457594f72c1e2dac

SHA256
dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a

SHA512
c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.exe

Filesize
139KB

MD5
dee240d01db48ec0704a4520695db7a9

SHA1
2046c4b30c73734920d10416457594f72c1e2dac

SHA256
dc3a6ed95f4d35d219af402efda72fe46526bdbe299129f27498b6ca7b6d0e0a

SHA512
c3f52d3fd6a3b84b4a7f83cc9d3bbc1dc8cc5a872f16d30e10b8f96a11aaeac67435feb09d166d9f1561a482f2fc9891c813c346e9048b8ddd6c38b2daa0df99

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
48KB

MD5
ab4ee7911f9c760f4155956a2b4378f4

SHA1
4faae72c80e41f972a39a712dd18c508510868a9

SHA256
e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b

SHA512
28da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.exe

Filesize
48KB

MD5
ab4ee7911f9c760f4155956a2b4378f4

SHA1
4faae72c80e41f972a39a712dd18c508510868a9

SHA256
e54855dc2a6a284040dd44056b112b081b699d33689c16c03058b940f2432e8b

SHA512
28da7353710363408773ff9a6d7850511d0f5d8443bd9b10f51e989ffd46070527e690a6beaa62f0d2e775896d29cd39808022b9b05415452b134a26c33107e9

Download Submit

Analysis

Sharing