e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb

General

Target

e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe
Size

209KB
MD5

38b615626e3739441becebc10e5283cf
SHA1

56d9033da4cbd541f1a3b902c44d1657d4ec64c0
SHA256

e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb
SHA512

6bd7e73725d01edd45d143c668401b146a358b6a9c2b4b74782b74a440c86e3361227b0aa38d92bf0a76c0dc0346ecd59ac288e02c79c6d0cd1c5dc5b820321e
SSDEEP

6144:VeXBHZjX2F/5sL03ctzLwFU2FfhB6WloQRLVoS39:VGH5GF/5s8cZwFUyBfHRLVoSt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2308	dnfumb.exe
2912	dnfumb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\dnfumb.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	dnfumb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winitin = "C:\\Users\\Admin\\AppData\\Roaming\\winitin.exe.exe"	dnfumb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	dnfumb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winitin = "C:\\Users\\Admin\\AppData\\Roaming\\winitin.exe.exe"	dnfumb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2912	2308	dnfumb.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe
2308	dnfumb.exe
2912	dnfumb.exe
2912	dnfumb.exe
2912	dnfumb.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4636	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	79
PID 1096 wrote to memory of 4636	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	79
PID 1096 wrote to memory of 4636	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	79
PID 4636 wrote to memory of 1876	4636	cmd.exe	82
PID 4636 wrote to memory of 1876	4636	cmd.exe	82
PID 4636 wrote to memory of 1876	4636	cmd.exe	82
PID 1096 wrote to memory of 2308	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	83
PID 1096 wrote to memory of 2308	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	83
PID 1096 wrote to memory of 2308	1096	e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe	83
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84
PID 2308 wrote to memory of 2912	2308	dnfumb.exe	84

C:\Users\Admin\AppData\Local\Temp\e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe
"C:\Users\Admin\AppData\Local\Temp\e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eHXdG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1876
- C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe
  "C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe
    "C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eHXdG.bat

Filesize
142B

MD5
2305ae4821c79e9cc4ef0803dcabdf3e

SHA1
87596a36dfa929a3611f427e42dd613ed29efdef

SHA256
de8a69e34ef3a54c195123faf7f72c8f46982487dd5ea7fb13588d747fdcf2f5

SHA512
15bf93f04be3ecc52d4865e8d26a42e028c9d75abb84b3e591096bf6b0264ae8645a36aec5c714a34aa9dae88e34fbb1dfdbcc3fc4a67a366610bda4bbae1b09

Download Submit
C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe

Filesize
209KB

MD5
38b615626e3739441becebc10e5283cf

SHA1
56d9033da4cbd541f1a3b902c44d1657d4ec64c0

SHA256
e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb

SHA512
6bd7e73725d01edd45d143c668401b146a358b6a9c2b4b74782b74a440c86e3361227b0aa38d92bf0a76c0dc0346ecd59ac288e02c79c6d0cd1c5dc5b820321e

Download Submit
C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe

Filesize
209KB

MD5
38b615626e3739441becebc10e5283cf

SHA1
56d9033da4cbd541f1a3b902c44d1657d4ec64c0

SHA256
e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb

SHA512
6bd7e73725d01edd45d143c668401b146a358b6a9c2b4b74782b74a440c86e3361227b0aa38d92bf0a76c0dc0346ecd59ac288e02c79c6d0cd1c5dc5b820321e

Download Submit
C:\Users\Admin\AppData\Roaming\system32\dnfumb.exe

Filesize
209KB

MD5
38b615626e3739441becebc10e5283cf

SHA1
56d9033da4cbd541f1a3b902c44d1657d4ec64c0

SHA256
e1d1cb865e2d2806b4e44aca3d3cd6ba0e27adb4a5799bd5181dd5016187becb

SHA512
6bd7e73725d01edd45d143c668401b146a358b6a9c2b4b74782b74a440c86e3361227b0aa38d92bf0a76c0dc0346ecd59ac288e02c79c6d0cd1c5dc5b820321e

Download Submit
memory/1096-144-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/1096-135-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/1096-132-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/2308-147-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/2308-151-0x0000000000400000-0x00000000006C6000-memory.dmp

Filesize
2.8MB

Download
memory/2912-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2912-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2912-154-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing