83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838

General

Target

83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
Size

2.6MB
MD5

8f30495351188a6fdd3da179691e6a97
SHA1

dfbfb496f2f7662eea3c9d88e398995864449c0f
SHA256

83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838
SHA512

68fce63f11ca17872944732fa1ef19ab056b87fd018affb4902477d3cc0f873dc0a28a22f5b693779a425b118bf581fa60e78bfbc879f7814d2164cd5afdd9cb
SSDEEP

49152:puiDR7ztcKayMNSe6jgzcbQb1Yj4qtEhxDEC/POVpa9L/ZXk9Dea7c6qmub:pR5payMNSXA76Jqx//2K9L0yaQTmub

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4900	MediaXCodec.exe
4852	RegSupreme Pro 1.7.0.416.exe
2064	is-2E9S0.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	MediaXCodec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Player.exe"	MediaXCodec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 4900	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	81
PID 3088 wrote to memory of 4900	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	81
PID 3088 wrote to memory of 4900	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	81
PID 3088 wrote to memory of 4852	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	82
PID 3088 wrote to memory of 4852	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	82
PID 3088 wrote to memory of 4852	3088	83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe	82
PID 4852 wrote to memory of 2064	4852	RegSupreme Pro 1.7.0.416.exe	85
PID 4852 wrote to memory of 2064	4852	RegSupreme Pro 1.7.0.416.exe	85
PID 4852 wrote to memory of 2064	4852	RegSupreme Pro 1.7.0.416.exe	85

C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe
"C:\Users\Admin\AppData\Local\Temp\83f1167877e2dd5e3e110acadde1109518926a5db622f2bc5e7192126abe9838.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe
  "C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe
  "C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp" /SL4 $D003E "C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe" 2429367 52736
    3⤵
    - Executes dropped EXE
    PID:2064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MediaXCodec.exe

Filesize
14KB

MD5
84c0684dccac225bbc8b037505430c31

SHA1
bdd4bb7017ad13fcf67e7202e0609a759a4ab8ec

SHA256
8e5267bd511031dab351d16fd73e0a15006e35d3162f3ece7476d90ab5f0aba4

SHA512
a86de1633e1fff20b4c369fe990f002351adcd9598a8de8f859cef447bf8d9afb264eaaa4e277bdbbb35a5ee5e4d57b4dfeb3224c1db0206668a9054c07dded4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSupreme Pro 1.7.0.416.exe

Filesize
2.5MB

MD5
7cd42a624a678a23204baeb903d94a47

SHA1
9d58ee33932fa0d13c41f98fd01b41538e60ffef

SHA256
d03c204f98c74dc9e38e8f17d926c31d600ae4fe2f596dfd2e499145b07622f7

SHA512
83bb3df2dab8cc8fb1ee66fa9226a2eda26d45478740471858f36e217f887961cd617adad1448e12ad859f708ad1169df58d270bbc9cfc14d4cfa0a6e62ae9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PS3T.tmp\is-2E9S0.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
memory/4852-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4852-143-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing