5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4

General

Target

5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe
Size

479KB
MD5

13cc8500825e718f46b6b3cecd634480
SHA1

cb100a55b1c288c4b9fc9d81acdcffacf0834545
SHA256

5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4
SHA512

b3b1382e1d0feed46eb9542d79c99c6d45bcfab4bf3c207ae55528b5bc8a25f5dba066bc498069a8ed838168442add56193280b663fb76d21d1b9747154877e2
SSDEEP

1536:Zt34WlngkYFKynXvAh1MFOMLwOueYdqXhVBZXcMik421dNSkWNVYM3O3:ZCQgk6Kyn/wMFOMLN9AQdjWzT+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4628	CBB9FE.exe
4804	CBB9FE.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2840-133-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2840-135-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2840-136-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2840-140-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2840-146-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 3224 wrote to memory of 2840	3224	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	79
PID 2840 wrote to memory of 4040	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	80
PID 2840 wrote to memory of 4040	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	80
PID 2840 wrote to memory of 4040	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	80
PID 2840 wrote to memory of 4628	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	81
PID 2840 wrote to memory of 4628	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	81
PID 2840 wrote to memory of 4628	2840	5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe	81
PID 4628 wrote to memory of 4804	4628	CBB9FE.exe	82
PID 4628 wrote to memory of 4804	4628	CBB9FE.exe	82
PID 4628 wrote to memory of 4804	4628	CBB9FE.exe	82

C:\Users\Admin\AppData\Local\Temp\5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe
"C:\Users\Admin\AppData\Local\Temp\5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe
  "C:\Users\Admin\AppData\Local\Temp\5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4040
- - C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe
    "C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe" CBC7161E
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe
      CBC7161E
      4⤵
      Executes dropped EXE
      PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe

Filesize
479KB

MD5
13cc8500825e718f46b6b3cecd634480

SHA1
cb100a55b1c288c4b9fc9d81acdcffacf0834545

SHA256
5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4

SHA512
b3b1382e1d0feed46eb9542d79c99c6d45bcfab4bf3c207ae55528b5bc8a25f5dba066bc498069a8ed838168442add56193280b663fb76d21d1b9747154877e2

Download Submit
C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe

Filesize
479KB

MD5
13cc8500825e718f46b6b3cecd634480

SHA1
cb100a55b1c288c4b9fc9d81acdcffacf0834545

SHA256
5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4

SHA512
b3b1382e1d0feed46eb9542d79c99c6d45bcfab4bf3c207ae55528b5bc8a25f5dba066bc498069a8ed838168442add56193280b663fb76d21d1b9747154877e2

Download Submit
C:\Users\Admin\E8B2F987D6D8E5EE\CBB9FE.exe

Filesize
479KB

MD5
13cc8500825e718f46b6b3cecd634480

SHA1
cb100a55b1c288c4b9fc9d81acdcffacf0834545

SHA256
5d7f07201565273a9f5f4db7c736a53244dcb0c5a57b5b60e80e002d3212ecf4

SHA512
b3b1382e1d0feed46eb9542d79c99c6d45bcfab4bf3c207ae55528b5bc8a25f5dba066bc498069a8ed838168442add56193280b663fb76d21d1b9747154877e2

Download Submit
memory/2840-132-0x0000000000000000-mapping.dmp

Download
memory/2840-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-140-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4040-139-0x0000000000000000-mapping.dmp

Download
memory/4628-141-0x0000000000000000-mapping.dmp

Download
memory/4804-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing