91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb

General

Target

91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
Size

2.1MB
MD5

5ab4ac6c886426002b500f5b930bdec7
SHA1

9b458ab21b911ac02e399d756d0c4d39c3ac35fc
SHA256

91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb
SHA512

94a7f31392404661dc87e5eac78c7d749d463f77c04a80df9db4d0bfb9c3db0d0d67609134bc16070a652fe5f094b5170592395d91a7bee26b6b2e1334cb0884
SSDEEP

49152:x8QIFwwVoL3j6d7kLeGChEz/568UaLTyswqnhIQX:6Soi2kqGChEN3Ua/rwqnh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2608	ÇéÃÔ¶¼ÊÐ.sfx.exe
5016	SkyTol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SkyTol.exe	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
File created	\??\c:\windows\kill.bat	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
File opened for modification	\??\c:\windows\ÇéÃÔ¶¼ÊÐ.sfx.exe	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
5016	SkyTol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2608	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	79
PID 3228 wrote to memory of 2608	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	79
PID 3228 wrote to memory of 2608	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	79
PID 3228 wrote to memory of 5016	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	82
PID 3228 wrote to memory of 5016	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	82
PID 3228 wrote to memory of 5016	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	82
PID 3228 wrote to memory of 3968	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	83
PID 3228 wrote to memory of 3968	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	83
PID 3228 wrote to memory of 3968	3228	91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe	83

C:\Users\Admin\AppData\Local\Temp\91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe
"C:\Users\Admin\AppData\Local\Temp\91588191135e38efa80ae3ceca3da7e9c8d1d30247d317f893d1d87a364652fb.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228
- \??\c:\windows\ÇéÃÔ¶¼ÊÐ.sfx.exe
  c:\windows\ÇéÃÔ¶¼ÊÐ.sfx.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- \??\c:\windows\SkyTol.exe
  c:\windows\SkyTol.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\kill.bat" "
  2⤵
  PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SkyTol.exe

Filesize
9KB

MD5
9370e65144f1f6f0ab618b7a5e240a08

SHA1
f9bb37f1fcb3f69efe95da238f52f83b864820b9

SHA256
b415c4f0dab05f3f806a00234d2376a77df4555983ff9f2d7b8f5682bb0a9ade

SHA512
b2bdc8d1d452b585e35b54a71d90d43b485f74bddbf308c1d4d4ebfc35f8bb6e9481858d1e1642c5121e43fad731218336c3fec6b87bb14687bc7faeed872eee

Download Submit
C:\Windows\ÇéÃÔ¶¼ÊÐ.sfx.exe

Filesize
1.9MB

MD5
86abab35da55bd704385a5c60b1dfed6

SHA1
4a743a77c67acbf941e3db6bc4f2a7e65e856a7a

SHA256
ea89ab25e6702349e03d5a4a1c30732fb5ab9cf386dae23672dc254dfaafa730

SHA512
d76db97ea6d9e62ccc4ab4ab6fb15bd94a6e14c552eb27027e5f7412ecaa23c2949e36d6fb8eabd549809b8347eeb42f97df1eae150f2049b1e44a528fd74d61

Download Submit
C:\windows\kill.bat

Filesize
184B

MD5
a591e6b59f4adca42931b29faa4f1fbf

SHA1
1385da0892f55708ce59ab0d9ba0421fb5f54dc4

SHA256
7e97ba87e6f429d628373315254a955e794c560a89c631bc70c16577652a8034

SHA512
fc2a952e8d946853e8157549e8b8b55dbae3045cf2ccd163fb787ffe1b18236745d119904f26e6161e1e87b873f57bec9d23731114e5e3bb9c75fa5e3fa93ba6

Download Submit
\??\c:\windows\SkyTol.exe

Filesize
9KB

MD5
9370e65144f1f6f0ab618b7a5e240a08

SHA1
f9bb37f1fcb3f69efe95da238f52f83b864820b9

SHA256
b415c4f0dab05f3f806a00234d2376a77df4555983ff9f2d7b8f5682bb0a9ade

SHA512
b2bdc8d1d452b585e35b54a71d90d43b485f74bddbf308c1d4d4ebfc35f8bb6e9481858d1e1642c5121e43fad731218336c3fec6b87bb14687bc7faeed872eee

Download Submit
\??\c:\windows\ÇéÃÔ¶¼ÊÐ.sfx.exe

Filesize
1.9MB

MD5
86abab35da55bd704385a5c60b1dfed6

SHA1
4a743a77c67acbf941e3db6bc4f2a7e65e856a7a

SHA256
ea89ab25e6702349e03d5a4a1c30732fb5ab9cf386dae23672dc254dfaafa730

SHA512
d76db97ea6d9e62ccc4ab4ab6fb15bd94a6e14c552eb27027e5f7412ecaa23c2949e36d6fb8eabd549809b8347eeb42f97df1eae150f2049b1e44a528fd74d61

Download Submit
memory/5016-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5016-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing