e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f

General

Target

e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe
Size

102KB
MD5

1d9e7bdde571ebc3642892e71ac1ade5
SHA1

f4f0cb78e1c2c5acf88c1cd51f617c13bc3c0708
SHA256

e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f
SHA512

c81e5e4a7aa0e7c6d6303852332e10c17e2ac476bb5d4cedbeda71aba2b2b556fa58e4ed5c94b997bcb56e045c21241384a4fe1becbcbf2f6ffd4e180cdf4de8
SSDEEP

3072:nbLpZuEskJoU4gURKKaacfslyhE03imZ755aL:nbOOJYKKa1fZ5aL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3728	pdyq.exe
3592	mdqj.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mdqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	pdyq.exe

Unexpected DNS network traffic destination 38 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.112.157
Destination IP	85.255.114.6
Destination IP	85.255.114.6
Destination IP	85.255.114.6

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdfai.exe"	mdqj.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kdfai.exe	mdqj.exe
File created	C:\Windows\SysWOW64\kdfai.exe	mdqj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 3444	3592	mdqj.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1756	ipconfig.exe
2520	ipconfig.exe
3440	ipconfig.exe
4260	ipconfig.exe
3368	ipconfig.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo	pdyq.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International	pdyq.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo	mdqj.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International	mdqj.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3592	mdqj.exe
3592	mdqj.exe
3592	mdqj.exe
3592	mdqj.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3592	mdqj.exe
Token: SeSecurityPrivilege	3592	mdqj.exe
Token: SeTakeOwnershipPrivilege	3592	mdqj.exe
Token: SeLoadDriverPrivilege	3592	mdqj.exe
Token: SeSystemProfilePrivilege	3592	mdqj.exe
Token: SeSystemtimePrivilege	3592	mdqj.exe
Token: SeProfSingleProcessPrivilege	3592	mdqj.exe
Token: SeIncBasePriorityPrivilege	3592	mdqj.exe
Token: SeCreatePagefilePrivilege	3592	mdqj.exe
Token: SeBackupPrivilege	3592	mdqj.exe
Token: SeRestorePrivilege	3592	mdqj.exe
Token: SeShutdownPrivilege	3592	mdqj.exe
Token: SeDebugPrivilege	3592	mdqj.exe
Token: SeSystemEnvironmentPrivilege	3592	mdqj.exe
Token: SeChangeNotifyPrivilege	3592	mdqj.exe
Token: SeRemoteShutdownPrivilege	3592	mdqj.exe
Token: SeUndockPrivilege	3592	mdqj.exe
Token: SeManageVolumePrivilege	3592	mdqj.exe
Token: SeImpersonatePrivilege	3592	mdqj.exe
Token: SeCreateGlobalPrivilege	3592	mdqj.exe
Token: 33	3592	mdqj.exe
Token: 34	3592	mdqj.exe
Token: 35	3592	mdqj.exe
Token: 36	3592	mdqj.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3728	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	83
PID 1276 wrote to memory of 3728	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	83
PID 1276 wrote to memory of 3728	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	83
PID 1276 wrote to memory of 3592	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	84
PID 1276 wrote to memory of 3592	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	84
PID 1276 wrote to memory of 3592	1276	e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe	84
PID 3592 wrote to memory of 3444	3592	mdqj.exe	85
PID 3592 wrote to memory of 3444	3592	mdqj.exe	85
PID 3728 wrote to memory of 1756	3728	pdyq.exe	86
PID 3728 wrote to memory of 1756	3728	pdyq.exe	86
PID 3728 wrote to memory of 1756	3728	pdyq.exe	86
PID 3728 wrote to memory of 2520	3728	pdyq.exe	88
PID 3728 wrote to memory of 2520	3728	pdyq.exe	88
PID 3728 wrote to memory of 2520	3728	pdyq.exe	88
PID 3728 wrote to memory of 3440	3728	pdyq.exe	90
PID 3728 wrote to memory of 3440	3728	pdyq.exe	90
PID 3728 wrote to memory of 3440	3728	pdyq.exe	90
PID 3728 wrote to memory of 4260	3728	pdyq.exe	91
PID 3728 wrote to memory of 4260	3728	pdyq.exe	91
PID 3728 wrote to memory of 4260	3728	pdyq.exe	91
PID 3728 wrote to memory of 3368	3728	pdyq.exe	94
PID 3728 wrote to memory of 3368	3728	pdyq.exe	94
PID 3728 wrote to memory of 3368	3728	pdyq.exe	94

C:\Users\Admin\AppData\Local\Temp\e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe
"C:\Users\Admin\AppData\Local\Temp\e77948b5a238251a8765acbc392671014fe7298dd177db8262a10c4f4deb5f6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\pdyq.exe
  pdyq.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:1756
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /registerdns
    3⤵
    - Gathers network information
    PID:2520
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /dnsflush
    3⤵
    - Gathers network information
    PID:3440
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /renew
    3⤵
    - Gathers network information
    PID:4260
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /renew_all
    3⤵
    - Gathers network information
    PID:3368
- C:\Users\Admin\AppData\Local\Temp\mdqj.exe
  mdqj.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Modifies registry class
    PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mdqj.exe

Filesize
61KB

MD5
9f51eddb63268d85a3b58847c215b499

SHA1
af969a5d5bbea308a371b69ce0b0a4c632049c91

SHA256
8789a1c1c255840701010e7675e38b434a24e4c3af35b91bf1f0410feb7be7cd

SHA512
56fac48804dce4f4cc857b64a6117bd597a50c78984a6eb8fdd71b9aeace5ea1da621ee1741e1b1118ae6b4112945f28443d2b5b22605900976c115bbbcf31cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdqj.exe

Filesize
61KB

MD5
9f51eddb63268d85a3b58847c215b499

SHA1
af969a5d5bbea308a371b69ce0b0a4c632049c91

SHA256
8789a1c1c255840701010e7675e38b434a24e4c3af35b91bf1f0410feb7be7cd

SHA512
56fac48804dce4f4cc857b64a6117bd597a50c78984a6eb8fdd71b9aeace5ea1da621ee1741e1b1118ae6b4112945f28443d2b5b22605900976c115bbbcf31cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdyq.exe

Filesize
7KB

MD5
0663a67123bef8c4d90b3cca02718680

SHA1
2442051db230aa23dbe9b624eea18d86da466299

SHA256
0bab5c1c29c68bcb378079724a6848fb176affdc2b540d52f9c903f294d47343

SHA512
061ceeb21a772d38ab09a0692e226f4365fece0c50e0732824f312072fef4fdd3a1fb866b772f1d6cc9f7696f72b1e378af9481adaa97b60a99e5fe8b66857a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdyq.exe

Filesize
7KB

MD5
0663a67123bef8c4d90b3cca02718680

SHA1
2442051db230aa23dbe9b624eea18d86da466299

SHA256
0bab5c1c29c68bcb378079724a6848fb176affdc2b540d52f9c903f294d47343

SHA512
061ceeb21a772d38ab09a0692e226f4365fece0c50e0732824f312072fef4fdd3a1fb866b772f1d6cc9f7696f72b1e378af9481adaa97b60a99e5fe8b66857a2

Download Submit
memory/3592-139-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/3592-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3592-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3728-135-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads