c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01

General

Target

c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe
Size

743KB
MD5

b6e08a65972c4023436c14a359fe73af
SHA1

611847af498d29c8e2404fc7124c994c5f4085b1
SHA256

c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01
SHA512

569d9d02fb73d3637e35f52939436a14d09818431f7663526d6c5f08792a8390da631d64f59ddac08b53f984fc326da3431b73470a5642e5a0cbf7a686527df3
SSDEEP

12288:LczJJhqrVPllvKspPT3GWGqWKNiTic4RVavipq2i3e3eRYSLuzq:LczJKVdD3GzqWTec4RcEq2i3euR/uzq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exeWScript.execmd.exe

description	pid	process	target process
PID 5060 wrote to memory of 1752	5060	c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe	WScript.exe
PID 5060 wrote to memory of 1752	5060	c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe	WScript.exe
PID 5060 wrote to memory of 1752	5060	c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe	WScript.exe
PID 1752 wrote to memory of 4204	1752	WScript.exe	cmd.exe
PID 1752 wrote to memory of 4204	1752	WScript.exe	cmd.exe
PID 1752 wrote to memory of 4204	1752	WScript.exe	cmd.exe
PID 4204 wrote to memory of 628	4204	cmd.exe	reg.exe
PID 4204 wrote to memory of 628	4204	cmd.exe	reg.exe
PID 4204 wrote to memory of 628	4204	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe
"C:\Users\Admin\AppData\Local\Temp\c21838a03307cd311d7476709346d8a132861859d5eab6a638910fb73f87fc01.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Office\14.0" /s
4⤵
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\A.I.vbs

Filesize
142B

MD5
caa3eb92c5d0044698cb72ea699f5022

SHA1
19b81006722a84395a9ee1486494a050ddf4dd0f

SHA256
5d9fd4c0364235e54a490a79f482dcc6e61d6ea7092e7dcfd53434df8b11e9d2

SHA512
93960758183eeecbe5fb1cb3b9448b51169444d6e42e1e66427362e430b1622d366f5b9e670487bd4ebefe9d540e74882b4c8847e7cff23374fbc57e1adbdddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Run.cmd

Filesize
2KB

MD5
ebfcb3f32c9120834f5b343c943028ee

SHA1
b010ae7589b2f61c3f186ecb17fece2823a1df7c

SHA256
9a318489ebad778d06dcfc2fdf9e17a95f005d30c25e07f05f6694cd08bec341

SHA512
8a575790b5aaf668ba3b2a5028331a70948f063b3f08c3cede6da590a017b24371613192cabd08ef12a884c03222f1f8e338994080b2fba920a13edfe9774bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.exe

Filesize
412KB

MD5
bf577094d53599f1ae46fdc409ccc9ff

SHA1
53a45bf84e66ddb51fe99b6dd8acd25ee1e4c718

SHA256
e4fbb213a63e375c318712ec3a91f6341e6a08941a69c57e68cacaf5cd41337d

SHA512
3234080f01092cd605549f724f3cc6fb17b571b90f21f11ca314c68e00ce7d64c54384ef47472abca0d6d18f43c3f041a5b141d31bcde027bea2abbdd65bae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.reg

Filesize
314B

MD5
91dc95a38d11701bcce847af2833e325

SHA1
6c78dc43ada507c8649177dbbee65c76f408d1a0

SHA256
abbabbd757aab5953be79b4ad2279eabfb7ee09dd7bc88a39cca01452d982ec2

SHA512
cbeba9ceda31cad1cc85d038b854b1c5c0f61e20d1d5f94f3c79ea67d279a30942fbdd32eb5a11f56336301e691b0a64389eacbaf74b4e5204f4c1b12617a116

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oc.cmd

Filesize
101B

MD5
885d3dbca690177ab9c86c04736e02a6

SHA1
70906e97cd79011a449fede2448eaa91dee020de

SHA256
a950c4894ab269be4913149c3228f773fbce10a175e2a76b13482f263b8d89a4

SHA512
8209018e0925736984b1a228407ea2cde2c1dc9e54de23cc1998f16c55df3e91a0780641563ea3484a785cbd9d1b0b64696bbac25e6a0a50e74a23a0bf95d5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\oga.dll

Filesize
651KB

MD5
964a4192ffb663b98ec612c69fb7b4bd

SHA1
bb9aec8dda35818a7d7b24ac9751c8c881a64cde

SHA256
69ceb118bcbadb2b828855db26d53bc4cbb3b6c26b482ac9d0d947a3d3045eaf

SHA512
1486237ba86fc01390b4c5cd58bf62795f0ef96f9cce524d1d62b76120700fa96cdd374897753fd847ec7b20019c28486119d667d6b71dd2f7a9e1405f60da68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ospp.vbs

Filesize
48KB

MD5
572e9a87757ac96c7677fd1b1b113c55

SHA1
9c8b96971997cd2dc0ed14f19dd9bc56d3348c3a

SHA256
008cf05944053116a095ad466561d3fd4be8a7de79e5ada7c5daab492f730465

SHA512
bf670754942cfa839de4a31676a3ba2ac8cd1a00de6f1b70aff995e14a9c489e996e9a019898ec3470a11d02c14ab7a8fe4855a8f028d6b4ea987e51411d7be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\slerror.xml

Filesize
32KB

MD5
df1ef05879e06c5f09f3e1022f37b5cb

SHA1
23aaac40baec28397bb59cfa584e165062d18506

SHA256
d49adf2dabbbf6aa43ce4e336af4f768207df75302ebf568a94a5350aac988c5

SHA512
78f0d21538483d3bac9d8b409554ac89a98a4943666f0ff88207831ab3e1d264c2efa0ea0e4703375aa15516809353f9b7477561a0a4ffe0b930b3e39f8b7e07

Download Submit
memory/628-136-0x0000000000000000-mapping.dmp

Download
memory/1752-132-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads