36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604

General

Target

36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe
Size

206KB
MD5

46d85c3d5c0eb6c75fa191e2892a92a0
SHA1

ff4a9377f7a8e39d71a2a2f312ca02547bee787c
SHA256

36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604
SHA512

b6b2a803a4ff3aa6239f451a7767d320a8ced4309a6027631f85bd3c769e23338c7bf46f2e73726ede8efc82843ff20abb0f69c840be07ea84635f283d5e9089
SSDEEP

3072:ClTSr+vbmJmU4QGKP179uPhnxfqeRNAlONeGqwXMI/FTQ6QrR2O3+oWGGFyirBSC:CkwKRPapnxfqqNW9I/JQj9+oWvrBXl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4004	check.exe
3976	tmp1.exe
2600	tmp2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp2.exe

Loads dropped DLL 1 IoCs

pid	Process
736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdras.exe"	tmp1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdras.exe	tmp1.exe
File opened for modification	C:\Windows\SysWOW64\kdras.exe	tmp1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3976 set thread context of 4200	3976	tmp1.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo	tmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International	tmp2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3976	tmp1.exe
3976	tmp1.exe
3976	tmp1.exe
3976	tmp1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3976	tmp1.exe
Token: SeSecurityPrivilege	3976	tmp1.exe
Token: SeTakeOwnershipPrivilege	3976	tmp1.exe
Token: SeLoadDriverPrivilege	3976	tmp1.exe
Token: SeSystemProfilePrivilege	3976	tmp1.exe
Token: SeSystemtimePrivilege	3976	tmp1.exe
Token: SeProfSingleProcessPrivilege	3976	tmp1.exe
Token: SeIncBasePriorityPrivilege	3976	tmp1.exe
Token: SeCreatePagefilePrivilege	3976	tmp1.exe
Token: SeBackupPrivilege	3976	tmp1.exe
Token: SeRestorePrivilege	3976	tmp1.exe
Token: SeShutdownPrivilege	3976	tmp1.exe
Token: SeDebugPrivilege	3976	tmp1.exe
Token: SeSystemEnvironmentPrivilege	3976	tmp1.exe
Token: SeChangeNotifyPrivilege	3976	tmp1.exe
Token: SeRemoteShutdownPrivilege	3976	tmp1.exe
Token: SeUndockPrivilege	3976	tmp1.exe
Token: SeManageVolumePrivilege	3976	tmp1.exe
Token: SeImpersonatePrivilege	3976	tmp1.exe
Token: SeCreateGlobalPrivilege	3976	tmp1.exe
Token: 33	3976	tmp1.exe
Token: 34	3976	tmp1.exe
Token: 35	3976	tmp1.exe
Token: 36	3976	tmp1.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4004	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	80
PID 736 wrote to memory of 4004	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	80
PID 736 wrote to memory of 4004	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	80
PID 736 wrote to memory of 3976	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	82
PID 736 wrote to memory of 3976	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	82
PID 736 wrote to memory of 3976	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	82
PID 736 wrote to memory of 2600	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	83
PID 736 wrote to memory of 2600	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	83
PID 736 wrote to memory of 2600	736	36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe	83
PID 3976 wrote to memory of 4720	3976	tmp1.exe	85
PID 3976 wrote to memory of 4720	3976	tmp1.exe	85
PID 3976 wrote to memory of 4200	3976	tmp1.exe	86
PID 3976 wrote to memory of 4200	3976	tmp1.exe	86

C:\Users\Admin\AppData\Local\Temp\36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe
"C:\Users\Admin\AppData\Local\Temp\36107bcb37437361e7263e23be10d69dd016405de8137d2be08039be0194b604.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\check.exe
  C:\Users\Admin\AppData\Local\Temp\check.exe e -o+ -p5tMErkVqRHV9JgmrwiekJGpxTB98B package.tmp
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:4720
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:4200
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies Control Panel
  PID:2600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
199KB

MD5
42ef3012ffc38db6df75d9e52ee8caa7

SHA1
110191a2414670e8f02179287f099a6099f1a6a5

SHA256
5f20eebd9440f7f6af88200dfdd5d8bbe17a49174273390cdc498ba6296065e8

SHA512
4d932b0e2272e7243745ff02db2157c494fc2e15db052ad726c1d500d63275b400caa36522d5ec0910f7329219d996307d3813995560940347a8e6e35090de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
199KB

MD5
42ef3012ffc38db6df75d9e52ee8caa7

SHA1
110191a2414670e8f02179287f099a6099f1a6a5

SHA256
5f20eebd9440f7f6af88200dfdd5d8bbe17a49174273390cdc498ba6296065e8

SHA512
4d932b0e2272e7243745ff02db2157c494fc2e15db052ad726c1d500d63275b400caa36522d5ec0910f7329219d996307d3813995560940347a8e6e35090de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg83EE.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\package.tmp

Filesize
47KB

MD5
676c4d745122ddf02084dca3f50110a8

SHA1
77cfdc99eb23a35bf59c007e8848863ad77858de

SHA256
975b269f72957e812b07dcb5108ee6e748fd1b8ab6b4a93069e2ad864e48e9d3

SHA512
e4f0e4ff694a6b5b28fc02cbcff902d4cf088f3951e2b9aa9d9a42bc0d2e43a82dca3de5f134c5c4ec718cb9379eb4264ad8e13095438190d218450505f49652

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
70KB

MD5
8af0d9c0a269469cd0139de27b32535c

SHA1
2f33c774ef61e4716cd187372440fd6b8ff6ee39

SHA256
64c9facc2755031f1fc4d12035fb1260b679c8ed205ca06d18c5c77786b054bc

SHA512
34bcfd8ad413fc89ccc2a34048facfa5d1628ff40ae030b90a0d170caf9f79814b8c71020ab92b308a7c75e9bd21b2a6f065e0c385f1bb45ca45964891db7b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
70KB

MD5
8af0d9c0a269469cd0139de27b32535c

SHA1
2f33c774ef61e4716cd187372440fd6b8ff6ee39

SHA256
64c9facc2755031f1fc4d12035fb1260b679c8ed205ca06d18c5c77786b054bc

SHA512
34bcfd8ad413fc89ccc2a34048facfa5d1628ff40ae030b90a0d170caf9f79814b8c71020ab92b308a7c75e9bd21b2a6f065e0c385f1bb45ca45964891db7b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
9ce53452efd7595f10eb426547216d64

SHA1
46387da4fa8fb3a807957ec24080fc24a9828732

SHA256
dfed42b0dc0cdd1d5258bbfe080147eb80dff1b23b54c5fb43eae5ad2fd50bf5

SHA512
4189d056672ec07c1d4359ed4109a2d01c43699ad30b66439266284bd46b78a1bda6b6afe1c919eb2492fd1480b5f95e45d346e2805fdf8f87db344f7e4d931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
9ce53452efd7595f10eb426547216d64

SHA1
46387da4fa8fb3a807957ec24080fc24a9828732

SHA256
dfed42b0dc0cdd1d5258bbfe080147eb80dff1b23b54c5fb43eae5ad2fd50bf5

SHA512
4189d056672ec07c1d4359ed4109a2d01c43699ad30b66439266284bd46b78a1bda6b6afe1c919eb2492fd1480b5f95e45d346e2805fdf8f87db344f7e4d931a

Download Submit
memory/2600-156-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2600-157-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3976-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3976-144-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/3976-159-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing