af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b

General

Target

af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe
Size

300KB
MD5

95a952d907ca9cbc38e437379b7d3285
SHA1

7380fcef52de33f15e9d9cba64568a9d6c371bae
SHA256

af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b
SHA512

3fa11e9c6d941bd768f47f47cbfa9b5e83794d897ca05d958b4916d53adf1183bd1d92b3cffc331bf4cbe96e47705f891b3bc086de8d41c499bc83ab70f7b910
SSDEEP

6144:yFnIej3A6VDkVhzK87Znl2OSs3ntsDzy1yOFmwWXE7MG71P9:yyej3JDkfZoOSFzVQmLE7MQ1l

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 1 IoCs

pid	Process
4880	2822f9af.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2604	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000002319b-137.dat	upx
behavioral2/files/0x000900000002319b-139.dat	upx
behavioral2/memory/4880-141-0x0000000000400000-0x000000000052A000-memory.dmp	upx
behavioral2/memory/4880-143-0x0000000000400000-0x000000000052A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mailmsg32 = "rundll32.exe mailmsg32.dll,yqet"	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mailmsg32.dll	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe
File opened for modification	C:\Windows\SysWOW64\f5f0a7dd.dll	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe
File opened for modification	C:\Windows\SysWOW64\b802dc88.dll	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3568	sc.exe
1780	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	2822f9af.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3568	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	84
PID 4512 wrote to memory of 3568	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	84
PID 4512 wrote to memory of 3568	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	84
PID 4512 wrote to memory of 1780	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	86
PID 4512 wrote to memory of 1780	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	86
PID 4512 wrote to memory of 1780	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	86
PID 4512 wrote to memory of 2604	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	88
PID 4512 wrote to memory of 2604	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	88
PID 4512 wrote to memory of 2604	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	88
PID 4512 wrote to memory of 4880	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	90
PID 4512 wrote to memory of 4880	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	90
PID 4512 wrote to memory of 4880	4512	af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe	90

C:\Users\Admin\AppData\Local\Temp\af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe
"C:\Users\Admin\AppData\Local\Temp\af6d25c4c5a6c455ab1a4075faa792ce0a826e5e9268053d6e76256c08cc217b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create mailmsg32 type= share start= auto DisplayName= "Mail Message Objects DLL" group= "Event Log" binPath= "rundll32.exe C:\Windows\system32\mailmsg32.dll,yqet"
  2⤵
  - Launches sc.exe
  PID:3568
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description mailmsg32 "Mail Message Objects DLL"
  2⤵
  - Launches sc.exe
  PID:1780
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall add portopening TCP 1711 messenger
  2⤵
  - Modifies Windows Firewall
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\2822f9af.exe
  "C:\Users\Admin\AppData\Local\Temp\2822f9af.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2822f9af.exe

Filesize
223KB

MD5
f4a1c1fc02ed4e6b1c497411504e8aac

SHA1
ba401d462368d2a3a6af2c20f44d6e39a598fed1

SHA256
70961f84c42a1454ff44bfa216ef3403fe711e4cc3399ded5dc586db1791858d

SHA512
2b70c30339d70fbc6227cba58f3712dabbb1b7cec7cb225ec16f06a6afb8dc522dbc7cdb5e0cb54d7525dc022f60a60e800207f9ee535bb485bcf6b286e54fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\2822f9af.exe

Filesize
223KB

MD5
f4a1c1fc02ed4e6b1c497411504e8aac

SHA1
ba401d462368d2a3a6af2c20f44d6e39a598fed1

SHA256
70961f84c42a1454ff44bfa216ef3403fe711e4cc3399ded5dc586db1791858d

SHA512
2b70c30339d70fbc6227cba58f3712dabbb1b7cec7cb225ec16f06a6afb8dc522dbc7cdb5e0cb54d7525dc022f60a60e800207f9ee535bb485bcf6b286e54fca

Download Submit
memory/4512-132-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4512-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4880-141-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/4880-143-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing