424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08

General

Target

424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
Size

226KB
MD5

822f58b40e2677903f6acb3e7e686603
SHA1

3736eef0724f97a352b0ffb7632a02708ba13cd7
SHA256

424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08
SHA512

9c9e2983e2dbab8a9475f677558b80ff1d13409de8063bd0159993e8cc4234da266863fb43ca85ff62ff4c2d20683a5e226422e8773accf1e21dacd1a6a2f5f3
SSDEEP

6144:qVe8qhQ65FhWngNFGyPaL6BHi6b3tEsofvo3+:0lqhRhLQyPX5pbAHc+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1584	Weather.exe
5060	IEXPLORER.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4540-135-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4540-139-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Weather.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Windows\\SysWOW64\\IEXPLORER.EXE"	IEXPLORER.EXE

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\weather report\config.ini	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File created	C:\Program Files (x86)\weather report\IEXPLORER.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File created	C:\Program Files (x86)\weather report\Weather.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File opened for modification	C:\Program Files (x86)\weather report\Weather.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\ietranst.dll	Weather.exe
File opened for modification	C:\Program Files (x86)\weather report	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File created	C:\Program Files (x86)\weather report\backup.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File opened for modification	C:\Program Files (x86)\weather report\backup.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File created	C:\Program Files (x86)\weather report\config.ini	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
File opened for modification	C:\Program Files (x86)\weather report\IEXPLORER.exe	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5060	IEXPLORER.EXE
5060	IEXPLORER.EXE
5060	IEXPLORER.EXE
5060	IEXPLORER.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1584	4540	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe	81
PID 4540 wrote to memory of 1584	4540	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe	81
PID 4540 wrote to memory of 1584	4540	424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe	81
PID 1584 wrote to memory of 5060	1584	Weather.exe	82
PID 1584 wrote to memory of 5060	1584	Weather.exe	82
PID 1584 wrote to memory of 5060	1584	Weather.exe	82

C:\Users\Admin\AppData\Local\Temp\424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe
"C:\Users\Admin\AppData\Local\Temp\424be869fbab770e003055b72dcbdb11bb80f4b3af5865b572e4421f813bac08.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Program Files (x86)\weather report\Weather.exe
  "C:\Program Files (x86)\weather report\Weather.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\IEXPLORER.EXE
    "C:\Windows\System32\IEXPLORER.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\weather report\IEXPLORER.EXE

Filesize
116KB

MD5
6b164b741c8e651df1ea92bd8467380c

SHA1
250fba380067fb1d634886c9f908d81679c6a7db

SHA256
4c13f6bf980ec8c2a3f4320ece874290636244f73c0dfb4d0a1e90eccae87ef2

SHA512
02e87a588833e5c3258fbe2478a36fe6179ce0baef98b1f55bdca0b2b69588c41ee2c9151baf797eb7da6c954455cb4816e0a2eb2c7a4bf788e23bd247b0f604

Download Submit
C:\Program Files (x86)\weather report\Weather.exe

Filesize
248KB

MD5
6855bb59597a856c992af6999983915d

SHA1
8e10511423b35aa475b25b92e95ad0a6117695f6

SHA256
3a17da79a4a42571e4ccfdc4b84664cac337aa5d7249e9995ef1f5045f1ac0f3

SHA512
f88c8b99ebee3ce827b8c70f0108c074b8c198666e1ad9cf0ebaabc0e5c26e0be513c2d8d661c660907df71301618597f1958f143f72e367c19e61ff660da5bb

Download Submit
C:\Program Files (x86)\weather report\Weather.exe

Filesize
248KB

MD5
6855bb59597a856c992af6999983915d

SHA1
8e10511423b35aa475b25b92e95ad0a6117695f6

SHA256
3a17da79a4a42571e4ccfdc4b84664cac337aa5d7249e9995ef1f5045f1ac0f3

SHA512
f88c8b99ebee3ce827b8c70f0108c074b8c198666e1ad9cf0ebaabc0e5c26e0be513c2d8d661c660907df71301618597f1958f143f72e367c19e61ff660da5bb

Download Submit
C:\Program Files (x86)\weather report\config.ini

Filesize
2B

MD5
a5bfc9e07964f8dddeb95fc584cd965d

SHA1
cb7a1d775e800fd1ee4049f7dca9e041eb9ba083

SHA256
7a61b53701befdae0eeeffaecc73f14e20b537bb0f8b91ad7c2936dc63562b25

SHA512
c21e553cd53f8b212922b2be07a9ca1a83d1d347752fb240acdf414e2dd8983da10aa65c6e7d1da6b24ba918d54d56f04135fb93cbf719cc8a4ad0433b298121

Download Submit
C:\Windows\SysWOW64\IEXPLORER.EXE

Filesize
116KB

MD5
6b164b741c8e651df1ea92bd8467380c

SHA1
250fba380067fb1d634886c9f908d81679c6a7db

SHA256
4c13f6bf980ec8c2a3f4320ece874290636244f73c0dfb4d0a1e90eccae87ef2

SHA512
02e87a588833e5c3258fbe2478a36fe6179ce0baef98b1f55bdca0b2b69588c41ee2c9151baf797eb7da6c954455cb4816e0a2eb2c7a4bf788e23bd247b0f604

Download Submit
memory/4540-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4540-139-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing