a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627

General

Target

a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
Size

1.5MB
MD5

9e004b5f85f3694e7e1dad214b880503
SHA1

2e19c2214675b570f36ba619bc56cd9c59ed948e
SHA256

a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627
SHA512

dd99a231e1487fdfb32366d178599e11dd8aca4aa407fcaf4418a685092865229de505a868b56d7d1ff4a5c168c5f45c95cbcc18bc4e4e3a5b6ca6318822672a
SSDEEP

24576:+7ZunQU1aVNeN2xAZmUq5++3ZMzuAVEmcOyiHRLoNe7aSyQjNoWGhl2NrRusFJ5/:ea2Q85++pMifNeWSyQ5HusfKvnU

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1308	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1200	netsh.exe
2320	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe"	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
File opened for modification	C:\Windows\system32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\melt.txt	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
File opened for modification	C:\Windows\SOCAAGDT12-7-2022---10-46-12---AM.gif	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1308	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3332	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
1308	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 1200	3332	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	83
PID 3332 wrote to memory of 1200	3332	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	83
PID 3332 wrote to memory of 1308	3332	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	88
PID 3332 wrote to memory of 1308	3332	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	88
PID 1308 wrote to memory of 2320	1308	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	90
PID 1308 wrote to memory of 2320	1308	a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe	90

C:\Users\Admin\AppData\Local\Temp\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
"C:\Users\Admin\AppData\Local\Temp\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SYSTEM32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:1200
- C:\Windows\system32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe
  "C:\Windows\system32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\system32\netsh.exe
    "netsh.exe" firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Filesize
1.5MB

MD5
9e004b5f85f3694e7e1dad214b880503

SHA1
2e19c2214675b570f36ba619bc56cd9c59ed948e

SHA256
a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627

SHA512
dd99a231e1487fdfb32366d178599e11dd8aca4aa407fcaf4418a685092865229de505a868b56d7d1ff4a5c168c5f45c95cbcc18bc4e4e3a5b6ca6318822672a

Download Submit
C:\Windows\melt.txt

Filesize
102B

MD5
281d7b0d0b3edac4d4fcb0040d9d7b7c

SHA1
f8565c95eb56f41830375810b59d5cd19dfd2747

SHA256
2bb0a562b9145414347a70b070737a4d63040e8a1c45d66e0e77e7a015fad57e

SHA512
ef89760641cce6f07888ed257e58dbcfdaeb2d4cf26811a0b68385051dbae153e1f3c0ccc313cbde4ea9ddf3ac4ce2dc2dc0c6cf30188bbcede190fc29bd79ef

Download Submit
C:\Windows\system32\a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627.exe

Filesize
1.5MB

MD5
9e004b5f85f3694e7e1dad214b880503

SHA1
2e19c2214675b570f36ba619bc56cd9c59ed948e

SHA256
a180523fa9e84626df569aaf7b8414880ca520303a124d253c47daae299d0627

SHA512
dd99a231e1487fdfb32366d178599e11dd8aca4aa407fcaf4418a685092865229de505a868b56d7d1ff4a5c168c5f45c95cbcc18bc4e4e3a5b6ca6318822672a

Download Submit
memory/1308-137-0x00007FFE07490000-0x00007FFE07EC6000-memory.dmp

Filesize
10.2MB

Download
memory/3332-132-0x00007FFE07490000-0x00007FFE07EC6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing