d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

General

Target

d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
Size

368KB
MD5

2c711d5d912e0998355db30d6f26e210
SHA1

b7b54cbc048296e7fdd312394ce66cf9d2de477c
SHA256

d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7
SHA512

6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81
SSDEEP

6144:eZirc2Q2/J1uKBhvLR001fiXCxPsskcPJuoXbW9Rpm:J4v2mKBT6XuPssXJPyDpm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
3856	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
File opened for modification	\??\PhysicalDrive0	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2704	1720	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	81
PID 1720 wrote to memory of 2704	1720	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	81
PID 1720 wrote to memory of 2704	1720	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	81

C:\Users\Admin\AppData\Local\Temp\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
"C:\Users\Admin\AppData\Local\Temp\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1720
- C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
  "C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe" -run
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2704

C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
986B

MD5
f9fc88ed1388fe921000dcb139f60061

SHA1
cfa11d49c7963e0704a3348604dce1c9dfb5d988

SHA256
0c6f0be6ac5bd2c88ccb83325e2487fe470fc1f9f9503a6e6f4c5ddbe871da07

SHA512
e000091702aefaf870c4c8a9a121c7b545e6e368bfa5ade8a8545d386e267d5ee19063b7595b4ab02ef585c529f17542925758d89c42393c612c18530acd9cc7

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
1KB

MD5
0ca677a7a0839b825cede7d5fe7e344d

SHA1
3dd207ad6f8a2b286b2273eebf886ff6aada6d10

SHA256
556a064a4176f45e0b5d8ee4c05bd0b2663fe2e0f0fe38785f1875d444fac1c7

SHA512
723321bfc3714b5f2276dcf460041c30518826619b48793d72a4e97f43465fe04010c061fb6faf1f4a8ee9ce648f0636936e9256e2931cb91d60180645a80200

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
2KB

MD5
96020b747f9bbc9a761bd652343e426a

SHA1
63ff521dc7bc50f4faeb2b779cc92b84e0ee0f54

SHA256
fb6932806f51d5671f9866a393d5b5dd31ef264237c4ce5fa181d17c4b154958

SHA512
3508432f84e35b51094e82be1fc766b9a89b691c816798fd8c21580e4616abf7c610f3ff7668c9ce841d11b075b9f62dc8cbac6ffcf5f6bd7d8b9caeceb6804c

Download Submit

Analysis

Sharing