5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9

General

Target

5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe
Size

125KB
MD5

560bc0ccfe6145fab637d654030ac340
SHA1

5cf0dbd97a3c879d53b1533d8e790e7d4cf8cbda
SHA256

5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9
SHA512

115dbe4ec2c4f4d8815d750b7c1afc37c8da435406287eb3d855cb7b47f665f476b309368d9a146413c04710eaf542634136bcbce6713a8356e94246e1a6652b
SSDEEP

3072:uz+92mhTMMJ/cPiq5bViKSTJK5XSCSJLf:uz+92mhAMJ/cPl3iKSTJUEJj

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hоsts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	akltitsoqiuwlhow.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	akltitsoqiuwlhow.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ok = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\akltitsoqiuwlhow\" :akrusofy.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4984	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4664	akltitsoqiuwlhow.exe
4664	akltitsoqiuwlhow.exe
1184	cmd.exe
4620	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4664	4520	5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe	85
PID 4520 wrote to memory of 4664	4520	5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe	85
PID 4520 wrote to memory of 4664	4520	5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe	85
PID 4664 wrote to memory of 1184	4664	akltitsoqiuwlhow.exe	87
PID 4664 wrote to memory of 1184	4664	akltitsoqiuwlhow.exe	87
PID 4664 wrote to memory of 1184	4664	akltitsoqiuwlhow.exe	87
PID 4664 wrote to memory of 4620	4664	akltitsoqiuwlhow.exe	88
PID 4664 wrote to memory of 4620	4664	akltitsoqiuwlhow.exe	88
PID 4664 wrote to memory of 4620	4664	akltitsoqiuwlhow.exe	88
PID 1184 wrote to memory of 2836	1184	cmd.exe	91
PID 1184 wrote to memory of 2836	1184	cmd.exe	91
PID 1184 wrote to memory of 2836	1184	cmd.exe	91
PID 4620 wrote to memory of 2636	4620	cmd.exe	92
PID 4620 wrote to memory of 2636	4620	cmd.exe	92
PID 4620 wrote to memory of 2636	4620	cmd.exe	92
PID 4620 wrote to memory of 4984	4620	cmd.exe	93
PID 4620 wrote to memory of 4984	4620	cmd.exe	93
PID 4620 wrote to memory of 4984	4620	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe
"C:\Users\Admin\AppData\Local\Temp\5aa112eddf31f8533430f6401ac59e0c99c62d7e73f206e10e523b6544e304a9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow.exe
  "C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow.exe" +++++++akrusofy.bat+++++++++++
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v ok /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow\" :akrusofy.bat" /f
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v ok /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow\" :akrusofy.bat" /f
      4⤵
      Adds Run key to start application
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\akrusofy.bat
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\chcp.com
      chcp 866
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "praetorian.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow.exe

Filesize
24KB

MD5
303063b25efbf66b06220d58558c5163

SHA1
a5c2c8273806dfa400fc5507213094aeca17c52c

SHA256
209813f1bf3bc205bdfdcf10f3e782e76b19deae2e728eaa1dbe18f5ba4800e1

SHA512
b79b5d745753e49998b0cba023261f0176c71bc401cd5c26e6c15cc7cdbb436761455b941a622d670c84429df6369e30b28a467d7e294ef2d4f61750abedb323

Download Submit
C:\Users\Admin\AppData\Local\Temp\akltitsoqiuwlhow.exe

Filesize
24KB

MD5
303063b25efbf66b06220d58558c5163

SHA1
a5c2c8273806dfa400fc5507213094aeca17c52c

SHA256
209813f1bf3bc205bdfdcf10f3e782e76b19deae2e728eaa1dbe18f5ba4800e1

SHA512
b79b5d745753e49998b0cba023261f0176c71bc401cd5c26e6c15cc7cdbb436761455b941a622d670c84429df6369e30b28a467d7e294ef2d4f61750abedb323

Download Submit
C:\Users\Admin\AppData\Local\Temp\akrusofy.bat

Filesize
5KB

MD5
c326c056fe0ecd3ad7d1f75b8a05c3fd

SHA1
258ce0c93f7d9ea3ebe5b821692b21dbc5874d30

SHA256
6582390f4ffab47f5acaa6bdd7d1f0cb062892e361726401a4730173ebd62427

SHA512
4285c2823f8bf4559534db31c7e848e8a82e7ebcca3b469081644fa7a897d97ad903c691bf0263e419b4b5776b9102d7c464e05aac7d2298f30b3ed022c3c1aa

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
431B

MD5
6eb3670efd4cec84149dd682666d7d60

SHA1
ba250103ca3c4f20ecf2aeb27259a2412e485185

SHA256
96649c71f921696768a769c5dbe9c766cc422b1a8f9eefd9f83950f5b593a16e

SHA512
dc9b67805da4a95b45b855b1d3f0b3f492f1a707f16de652312973864adcb5ee6200950d43c68a0a9a104ac9ee8829a626ac8d7bd0f91e1808bc8561d94b4e5b

Download Submit

Analysis

Sharing