d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d

General

Target

d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
Size

380KB
MD5

92755b55559f0e8bdb99349174492f5c
SHA1

bf9f6475fde5952e4ed0e2fbbef752912abb0b94
SHA256

d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d
SHA512

80395cfba34752a6cecafc9387ad486368d507af95b41c76977fa52b5f0fe1b6e7e56c101234f319f541f9884ea9b093dbdb2d5545947eddfa1af7fbef6dd2e0
SSDEEP

6144:Qoy8kq/mn2Ty3WgROsgykVl/j7sBfZpJ+ssVQxTzXHEXU0/X9zbKlkc9JnzCvz7N:lLUY4kVl7Y/mVQ1raU4XlbKlJzc7rcK3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4436	27.sfx.exe
4920	27.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	27.sfx.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\found.exe	27.exe
File created	C:\Windows\SysWOW64\found.exe	27.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\found32.dll	27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ = "C:\\Windows\\Debug\\found32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	27.sfx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18EDD7A0-87EF-45B7-85CF-6A7E1341E2BB}\InProcServer32	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3484	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4436	4284	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	80
PID 4284 wrote to memory of 4436	4284	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	80
PID 4284 wrote to memory of 4436	4284	d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe	80
PID 4436 wrote to memory of 4920	4436	27.sfx.exe	81
PID 4436 wrote to memory of 4920	4436	27.sfx.exe	81
PID 4436 wrote to memory of 4920	4436	27.sfx.exe	81
PID 4920 wrote to memory of 4872	4920	27.exe	82
PID 4920 wrote to memory of 4872	4920	27.exe	82
PID 4920 wrote to memory of 4872	4920	27.exe	82
PID 4920 wrote to memory of 4888	4920	27.exe	85
PID 4920 wrote to memory of 4888	4920	27.exe	85
PID 4920 wrote to memory of 4888	4920	27.exe	85
PID 4872 wrote to memory of 3484	4872	cmd.exe	86
PID 4872 wrote to memory of 3484	4872	cmd.exe	86
PID 4872 wrote to memory of 3484	4872	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe
"C:\Users\Admin\AppData\Local\Temp\d10397b0e5b624839af29daa50d9b5764a221b1e7408779cf14f1b4d96bfb93d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fnous.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s C:\Users\Admin\AppData\Local\Temp\nothks.reg
        5⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe"
      4⤵
      PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.exe

Filesize
194KB

MD5
85529ed8be19e0cfc8408a541f02e19f

SHA1
ca0e15300463621bec1fc91728000f1a73a3e461

SHA256
aa4a476faff39936588e29ef13f36460f00232e9e2346064ea13cc415a9311c5

SHA512
a5c501c4b7d0ad3872308e4e9bcefd4d3e9d13e07303ffaacc841057517c8238f348beadd9538f81a663e9c8c543fd5ad2365302780ef08eba0c1cd3f303b286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe

Filesize
265KB

MD5
b6bfaab8c3930f7f662eae3409f50e1e

SHA1
1a095262ed56ce4fcda7471536302a1056f84e65

SHA256
552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518

SHA512
ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\27.sfx.exe

Filesize
265KB

MD5
b6bfaab8c3930f7f662eae3409f50e1e

SHA1
1a095262ed56ce4fcda7471536302a1056f84e65

SHA256
552399c08861d1590324c67daf57de58a6bd9dcb027a80baa8313c57124cd518

SHA512
ee04c5b601898b398a34beebe82c6b40203900c797836d93aeb10c8b645ec19f312f35dd817e3c10d79ff67ed6ce1d9832cb70e635d66f6c22e450fc122727e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnous.bat

Filesize
126B

MD5
7ab275c1bc8750fe49119429e12ab856

SHA1
ea556c59c5d3f2be584d2e208ba42a1540f46986

SHA256
8d96bacc0e4651d7b8c27613f3f721bb89ca9fb9430bab66b2ef90bfe8cb5bb3

SHA512
7fe4bce942523a6adde6d83fc2f63302283f3e0642db4f9f650d50ba8f6f2b7b587229736521615d54b596f24a23146ab7aecb512c145b8dc4b81050ac3576c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nothks.reg

Filesize
403B

MD5
e1db5e72383ca2535cc04d98efb0f6e6

SHA1
b3407d394658ad2d4ef59179fd2ddd419a1dc1d7

SHA256
52a9ba0c766a4da941eb674797f1770712e64e2d2104271b4ff6368a45ba5c31

SHA512
6ac5c144d0103b722a7203b04f79b3c691ff1393b59555a7ccd454a10a64e2c60111e9e45dc1fdaa3fdf180fac2b0416250aa0180a946c772bd3f1225c15c095

Download Submit
memory/4920-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing