aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753

General

Target

aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe
Size

8KB
MD5

df6f2c54fd06c1c91b6e184fe4b5fa94
SHA1

8d64f2341a05be0b75521e61eeafb8f2fa98aca2
SHA256

aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753
SHA512

08b5614b4768e853bad042acbd58f2d35e4c107fb2f3453d6a13143599289f7a03f152dcea575db89d1e05bf21f04dfc8fb300ed344b86d50e7e3aa2335086b0
SSDEEP

192:J+TbHZ43feKWJ9EH1scZSNjVd2tFaNJhLkwcud2DH9VwGfctqR:Me3WKik1lSNjVQbaNJawcudoD7UE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	b2e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3384-132-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3384-133-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3384-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2844	3384	aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe	83
PID 3384 wrote to memory of 2844	3384	aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe	83
PID 3384 wrote to memory of 2844	3384	aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe	83
PID 2844 wrote to memory of 5040	2844	b2e.exe	84
PID 2844 wrote to memory of 5040	2844	b2e.exe	84
PID 2844 wrote to memory of 5040	2844	b2e.exe	84
PID 2844 wrote to memory of 4412	2844	b2e.exe	87
PID 2844 wrote to memory of 4412	2844	b2e.exe	87
PID 2844 wrote to memory of 4412	2844	b2e.exe	87

C:\Users\Admin\AppData\Local\Temp\aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe
"C:\Users\Admin\AppData\Local\Temp\aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\7EA6.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7EA6.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7EA6.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\aa57e89fcf86db2cd81fe8e8a726e02ed4070f84849c20bc0264375b47638753.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\978D.tmp\batfile.bat" "
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7EA6.tmp\b2e.exe

Filesize
8KB

MD5
67bf1b2a34ffccc65d478277a844711b

SHA1
9a3698611804f60bae0a7933108ab8c1fd771e85

SHA256
08b8c9d0973e57c3e92dbe8a78216d1c670250e34b415a7e36b3b7759e0cfe94

SHA512
2be8b3f56a9c2ef3f20289175463fe9efb0f4921f267d15886ebe6221ac6c9b93411555b930c60388118efea5c3dd3accd4e44ea93c7ed3364b9749417cd4908

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EA6.tmp\b2e.exe

Filesize
8KB

MD5
67bf1b2a34ffccc65d478277a844711b

SHA1
9a3698611804f60bae0a7933108ab8c1fd771e85

SHA256
08b8c9d0973e57c3e92dbe8a78216d1c670250e34b415a7e36b3b7759e0cfe94

SHA512
2be8b3f56a9c2ef3f20289175463fe9efb0f4921f267d15886ebe6221ac6c9b93411555b930c60388118efea5c3dd3accd4e44ea93c7ed3364b9749417cd4908

Download Submit
C:\Users\Admin\AppData\Local\Temp\978D.tmp\batfile.bat

Filesize
34B

MD5
efd9738ba2634cd0e67cc24814e46bc8

SHA1
e8099de92bd45e6434f21433ac86aef14ff06daa

SHA256
8a81b27fa0f07f5ce044ccdc634effe21b556e3ae35f376f9bb0baae89f7c0f5

SHA512
f850936ffb290e681d5674ec54aebb4d1f301b054e1ecbf2c396097abee43df5a2477270adb12abeef096b0682a55b7066b54dd313c75de903d71bda784735dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
3bb2e9a8cec4833745437b787e4e121b

SHA1
2fdd65146c1f5cddc5700d1e203eff2ace44ab5b

SHA256
a7caf61a326b6eba00a65dcfc8e5197ee9908422e659b94581cb2cc4a930b847

SHA512
68a55399d016fb25f3bd1b48fad5be09624c10d6e7946fd7ac3ace0bf26861f92525155c07a1459c5d15379fbc10dfe616334d5bb1c437af3c7fd05413729415

Download Submit
memory/2844-134-0x0000000000000000-mapping.dmp

Download
memory/2844-138-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2844-142-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3384-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3384-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3384-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4412-141-0x0000000000000000-mapping.dmp

Download
memory/5040-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing