f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7

General

Target

f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
Size

55KB
MD5

d2eb4797765c7c23d929b3e366dd14e4
SHA1

dd98e36855a1d4892a7504e4f9da4b5f1437d5fe
SHA256

f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7
SHA512

cda98b8b71a3669c3b6ee60e5023285b7f408263834a9c269194ebaddc1b66d90ef43aac550584975035f0d09faf7183b2613d4500184dda0af218311dd4cc48
SSDEEP

768:d/OwWsekp55agHcMnGPrLmIdPu0ZVQ9u9qI2AbS5nzPzVantS8YzXBR:MwWm55ag8eGPrLmKW0jh9qvKqLZYUFrn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4512	pot2.exe
1108	pot1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4512	pot2.exe
4512	pot2.exe
1108	pot1.exe
1108	pot1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	pot1.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4512	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	80
PID 3044 wrote to memory of 4512	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	80
PID 3044 wrote to memory of 4512	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	80
PID 3044 wrote to memory of 1108	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	81
PID 3044 wrote to memory of 1108	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	81
PID 3044 wrote to memory of 1108	3044	f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe	81
PID 4512 wrote to memory of 3064	4512	pot2.exe	25
PID 4512 wrote to memory of 3064	4512	pot2.exe	25
PID 4512 wrote to memory of 3064	4512	pot2.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 1108 wrote to memory of 3064	1108	pot1.exe	25
PID 4512 wrote to memory of 3064	4512	pot2.exe	25
PID 4512 wrote to memory of 3064	4512	pot2.exe	25
PID 4512 wrote to memory of 3064	4512	pot2.exe	25

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe
  "C:\Users\Admin\AppData\Local\Temp\f3f92a16f4d0c66d1f7cecdd4d53814014c344367f532fcae5169ea3bcd025e7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\pot2.exe
    "C:\Users\Admin\AppData\Local\Temp\pot2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\pot1.exe
    "C:\Users\Admin\AppData\Local\Temp\pot1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pot1.exe

Filesize
7KB

MD5
44d227f1ef61878bce63ad2e57760587

SHA1
d40166ac2a5586113714e673ce06aae54ba2c23e

SHA256
9b37ecfb8dd359ebf768d28552468a27f29feaeb7c329ea860421831b847f259

SHA512
584bae3155295dede7f00ee1c9b7480742de3e8bfc94d148133e0b6852635d7f40992c72d5556e2c3a6ec4236199edc639dfa6f3d86ed284dd1aab619eb241c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot1.exe

Filesize
7KB

MD5
44d227f1ef61878bce63ad2e57760587

SHA1
d40166ac2a5586113714e673ce06aae54ba2c23e

SHA256
9b37ecfb8dd359ebf768d28552468a27f29feaeb7c329ea860421831b847f259

SHA512
584bae3155295dede7f00ee1c9b7480742de3e8bfc94d148133e0b6852635d7f40992c72d5556e2c3a6ec4236199edc639dfa6f3d86ed284dd1aab619eb241c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pot2.exe

Filesize
39KB

MD5
48f691058624600917fbc74b82ce2abb

SHA1
bbe12df62240e776f389079e3985c6fde62eb0e6

SHA256
85a3cce3d5dfe8d62702c0c49f261794a7980d2fbaec7904a8b21e8f0cc48dbb

SHA512
630ab939ac1cbe2389539182dc8c177081621834e1f0eb0bbe10592e1f42c8d96d1a71e5c409903ef3f52750deed37dda8aafa2d04153e12b25bc674acec08e7

Download Submit
memory/3064-138-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

Filesize
24KB

Download
memory/4512-139-0x0000000000400000-0x000000000040AE30-memory.dmp

Filesize
43KB

Download
memory/4512-140-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing