f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c

General

Target

f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe
Size

205KB
MD5

1a60532f99a506ced2da08d40f62e5f0
SHA1

3b645bd81a28a1ef1eedba1448604de96407515c
SHA256

f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c
SHA512

abc2d8fb5edb07bbd7f346481aff495465a4c7db00ac0253e8ea37e3084d807ac1d8de95ee557b6834513479f767d7aa004cf013be44912190d49a94fe41312f
SSDEEP

6144:CkwK8wI9HZ/xaof8MZspHdr1CfCwZMeGQ/AZ:PmFZ/b8MZGHIl/AZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4924	check.exe
3076	tmp1.exe
2652	tmp2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp1.exe

Loads dropped DLL 1 IoCs

pid	Process
4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe

Unexpected DNS network traffic destination 35 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.112.138
Destination IP	85.255.113.109
Destination IP	85.255.113.109

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "kdnpf.exe"	tmp1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdnpf.exe	tmp1.exe
File opened for modification	C:\Windows\SysWOW64\kdnpf.exe	tmp1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3076 set thread context of 3264	3076	tmp1.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International	tmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International	tmp1.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo	tmp2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3076	tmp1.exe
3076	tmp1.exe
3076	tmp1.exe
3076	tmp1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3076	tmp1.exe
Token: SeSecurityPrivilege	3076	tmp1.exe
Token: SeTakeOwnershipPrivilege	3076	tmp1.exe
Token: SeLoadDriverPrivilege	3076	tmp1.exe
Token: SeSystemProfilePrivilege	3076	tmp1.exe
Token: SeSystemtimePrivilege	3076	tmp1.exe
Token: SeProfSingleProcessPrivilege	3076	tmp1.exe
Token: SeIncBasePriorityPrivilege	3076	tmp1.exe
Token: SeCreatePagefilePrivilege	3076	tmp1.exe
Token: SeBackupPrivilege	3076	tmp1.exe
Token: SeRestorePrivilege	3076	tmp1.exe
Token: SeShutdownPrivilege	3076	tmp1.exe
Token: SeDebugPrivilege	3076	tmp1.exe
Token: SeSystemEnvironmentPrivilege	3076	tmp1.exe
Token: SeChangeNotifyPrivilege	3076	tmp1.exe
Token: SeRemoteShutdownPrivilege	3076	tmp1.exe
Token: SeUndockPrivilege	3076	tmp1.exe
Token: SeManageVolumePrivilege	3076	tmp1.exe
Token: SeImpersonatePrivilege	3076	tmp1.exe
Token: SeCreateGlobalPrivilege	3076	tmp1.exe
Token: 33	3076	tmp1.exe
Token: 34	3076	tmp1.exe
Token: 35	3076	tmp1.exe
Token: 36	3076	tmp1.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4924	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	80
PID 4536 wrote to memory of 4924	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	80
PID 4536 wrote to memory of 4924	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	80
PID 4536 wrote to memory of 3076	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	82
PID 4536 wrote to memory of 3076	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	82
PID 4536 wrote to memory of 3076	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	82
PID 4536 wrote to memory of 2652	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	83
PID 4536 wrote to memory of 2652	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	83
PID 4536 wrote to memory of 2652	4536	f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe	83
PID 3076 wrote to memory of 404	3076	tmp1.exe	86
PID 3076 wrote to memory of 404	3076	tmp1.exe	86
PID 3076 wrote to memory of 3264	3076	tmp1.exe	87
PID 3076 wrote to memory of 3264	3076	tmp1.exe	87

C:\Users\Admin\AppData\Local\Temp\f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe
"C:\Users\Admin\AppData\Local\Temp\f742827806c3cacd954cf5d2c9c673ccc8acb35fae240a7377aef03189b6db5c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\check.exe
  C:\Users\Admin\AppData\Local\Temp\check.exe e -o+ -pSSxDIIjg0HmNoxE6POaBLbhlOWJl7 package.tmp
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  C:\Users\Admin\AppData\Local\Temp\tmp1.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:404
- - C:\Windows\bfsvc.exe
    C:\Windows\bfsvc.exe
    3⤵
    PID:3264
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies Control Panel
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
199KB

MD5
42ef3012ffc38db6df75d9e52ee8caa7

SHA1
110191a2414670e8f02179287f099a6099f1a6a5

SHA256
5f20eebd9440f7f6af88200dfdd5d8bbe17a49174273390cdc498ba6296065e8

SHA512
4d932b0e2272e7243745ff02db2157c494fc2e15db052ad726c1d500d63275b400caa36522d5ec0910f7329219d996307d3813995560940347a8e6e35090de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\check.exe

Filesize
199KB

MD5
42ef3012ffc38db6df75d9e52ee8caa7

SHA1
110191a2414670e8f02179287f099a6099f1a6a5

SHA256
5f20eebd9440f7f6af88200dfdd5d8bbe17a49174273390cdc498ba6296065e8

SHA512
4d932b0e2272e7243745ff02db2157c494fc2e15db052ad726c1d500d63275b400caa36522d5ec0910f7329219d996307d3813995560940347a8e6e35090de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC78D.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\package.tmp

Filesize
46KB

MD5
d6c21b152d1f53f581cf04754f66ed0a

SHA1
47a30b2a47eb5a082f623e4d97f476f109073de9

SHA256
6d3f07275d832be2f2ac4904b7066608b81866402df5d07a062f333430739dd2

SHA512
eb557889043aed5049c345fc445460e011731575f39f25d7b4c904140bd6efde54507545f5513ec4a9323b107b09a6bc51a944fe949ddbbf60daf1fb65c7520b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
70KB

MD5
0c8c62e977e195472522ac306ec912b6

SHA1
6cd34d706700e06570cc0da69a1d0b2c9c45442b

SHA256
c0ba8b268f928148a99f5cd7965092bba04fe71fb9588ad5079c04bfaedecdd5

SHA512
e3bcebccf110a3770814373c3ea4f192577ca6d923c67c5682e0c9d40c67d8887f749a138a942a60ba415bb793691556ccf2ddc760ce7613c60edb00efb157cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.exe

Filesize
70KB

MD5
0c8c62e977e195472522ac306ec912b6

SHA1
6cd34d706700e06570cc0da69a1d0b2c9c45442b

SHA256
c0ba8b268f928148a99f5cd7965092bba04fe71fb9588ad5079c04bfaedecdd5

SHA512
e3bcebccf110a3770814373c3ea4f192577ca6d923c67c5682e0c9d40c67d8887f749a138a942a60ba415bb793691556ccf2ddc760ce7613c60edb00efb157cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
9ce53452efd7595f10eb426547216d64

SHA1
46387da4fa8fb3a807957ec24080fc24a9828732

SHA256
dfed42b0dc0cdd1d5258bbfe080147eb80dff1b23b54c5fb43eae5ad2fd50bf5

SHA512
4189d056672ec07c1d4359ed4109a2d01c43699ad30b66439266284bd46b78a1bda6b6afe1c919eb2492fd1480b5f95e45d346e2805fdf8f87db344f7e4d931a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
7KB

MD5
9ce53452efd7595f10eb426547216d64

SHA1
46387da4fa8fb3a807957ec24080fc24a9828732

SHA256
dfed42b0dc0cdd1d5258bbfe080147eb80dff1b23b54c5fb43eae5ad2fd50bf5

SHA512
4189d056672ec07c1d4359ed4109a2d01c43699ad30b66439266284bd46b78a1bda6b6afe1c919eb2492fd1480b5f95e45d346e2805fdf8f87db344f7e4d931a

Download Submit
memory/2652-144-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3076-142-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3076-145-0x000000006B800000-0x000000006B8F0000-memory.dmp

Filesize
960KB

Download
memory/3076-158-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing