b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4

General

Target

b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe
Size

1.1MB
MD5

6dbfab3afa2032fdbc59386b585fe442
SHA1

883bed30db1eb004b8b6ff00755f87a51d392929
SHA256

b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4
SHA512

8feb3e644be0fba6cf65e1284c1c782e48f0d5acb09dab26dac3c586d0feca2c0cab98096e4cabcc06e3dab2085f7dde0aa42b19e001b0ee5992ccb4b0be5d64
SSDEEP

24576:87t3GxS74MvT1p9UuT8u/dVlO1LtGl1GAcd:UwW4op9Iu/dVY1k1G9

Score

8^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e07-139.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e07-140.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
4384	sup.exe
1900	a_friend.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3500-132-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3500-142-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4384	3500	b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe	80
PID 3500 wrote to memory of 4384	3500	b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe	80
PID 3500 wrote to memory of 4384	3500	b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe	80
PID 4384 wrote to memory of 728	4384	sup.exe	81
PID 4384 wrote to memory of 728	4384	sup.exe	81
PID 4384 wrote to memory of 728	4384	sup.exe	81
PID 728 wrote to memory of 1900	728	cmd.exe	83
PID 728 wrote to memory of 1900	728	cmd.exe	83
PID 728 wrote to memory of 1900	728	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe
"C:\Users\Admin\AppData\Local\Temp\b8ea594ce0a29e8cc86281464fd1016f90cdf128ca82571ce369c335e73ccdd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3500
- C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe
  "C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8416.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a_friend.exe
      a_friend.exe
      4⤵
      Executes dropped EXE
      PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a_friend.exe

Filesize
464KB

MD5
af84930391f2537390bf7cd68471a89e

SHA1
1f8b5b792d872bd0a0466139802a52d95f71a519

SHA256
de0b629287b0f2c7ce56d94c7fc199f0756e56ebb7976de42590c2a3ca5b7070

SHA512
91320659053138a0565aadb9e0ca41689281f8b4c4bf23ce35a13cf7ed6ce579a6797cac02a4571705dfe30438726801b59606a74337e7ea1589c7a30a704881

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a_friend.exe

Filesize
464KB

MD5
af84930391f2537390bf7cd68471a89e

SHA1
1f8b5b792d872bd0a0466139802a52d95f71a519

SHA256
de0b629287b0f2c7ce56d94c7fc199f0756e56ebb7976de42590c2a3ca5b7070

SHA512
91320659053138a0565aadb9e0ca41689281f8b4c4bf23ce35a13cf7ed6ce579a6797cac02a4571705dfe30438726801b59606a74337e7ea1589c7a30a704881

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe

Filesize
146KB

MD5
8ecf1b30f5fbb12a2fe138364d351a26

SHA1
ff0b828a9df228cf05898d6db9982a1fedbc0584

SHA256
22a51f140a738f69da01c21ab6fcf9a5ec653da1e4a73ad107e1a0faffba16fb

SHA512
1971ea29934fb3c09c53d41db23616f2d3b89bba81db51ce7f09840489f0d471dd8bfe5b09d335020f11047af744c4c4c5ab3d896f9b8d222b6b93c419201560

Download Submit
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe

Filesize
146KB

MD5
8ecf1b30f5fbb12a2fe138364d351a26

SHA1
ff0b828a9df228cf05898d6db9982a1fedbc0584

SHA256
22a51f140a738f69da01c21ab6fcf9a5ec653da1e4a73ad107e1a0faffba16fb

SHA512
1971ea29934fb3c09c53d41db23616f2d3b89bba81db51ce7f09840489f0d471dd8bfe5b09d335020f11047af744c4c4c5ab3d896f9b8d222b6b93c419201560

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt8416.bat

Filesize
220B

MD5
df6887d17e2c9912e637347ec7ca20b5

SHA1
dfcd2ad7429ac5ad537e6b7d10004cd7c9168066

SHA256
f331858ea0c53b1a2b1fa301f5e74dddc7888dd874bd3968007dae4e4808d39c

SHA512
b79559945d4ca0d78fb12ff15d397e4bbd4e0bae6eba96721bffc246b3c423e5cd2bd1aacaeed12f5740e111cd8dafcef9c97a497022da0deff44770464e885f

Download Submit
memory/1900-141-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/1900-143-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/3500-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3500-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing