b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68

General

Target

b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe
Size

186KB
MD5

5b1bf85bff151648346fa5b17f443027
SHA1

963988329d62e4f851b8022f89f690ac56455fca
SHA256

b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68
SHA512

e6b164aa82b814f9457c7d004ebb7c6ca0149b323ba109c0c96b87315371710ef816c5d31769c3257f2f1fe58a583ee4d1682a58444867b91af330626a5c7ca9
SSDEEP

3072:qX7DItrfaocyTgfsqQOlJT1C7Pore1JZmByfjfJgqjb21bDJOQDCp8ntV:qsaocyLCTg7ArEZmQfb+qjb21bDkQG+n

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2800	inst.exe
2780	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	inst.exe

Loads dropped DLL 1 IoCs

pid	Process
2296	b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	inst.exe
File created	C:\Windows\assembly\Desktop.ini	inst.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	inst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe
2780	50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2800	2296	b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe	80
PID 2296 wrote to memory of 2800	2296	b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe	80
PID 2800 wrote to memory of 2780	2800	inst.exe	83
PID 2800 wrote to memory of 2780	2800	inst.exe	83
PID 2800 wrote to memory of 2780	2800	inst.exe	83

C:\Users\Admin\AppData\Local\Temp\b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe
"C:\Users\Admin\AppData\Local\Temp\b0230adfe82c49b5dfe24e5f7f1d60446d2a195aa33c4dfbfbfadc85b5e80a68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\inst.exe
  C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\inst.exe 50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe /dT131601038S /e5367101 /t /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe" /dT131601038S /e5367101 /t /u50d1d9d5-cf90-407c-820a-35e05bc06f2f
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
1KB

MD5
6634347710cc30558f5e13dd4ebc9aa0

SHA1
fc77fd9fcf64a5fe08a862f311ab45e20a714600

SHA256
7e4910b2281ac98229547b71c50c71545f5dff241346f3ccc95d5364412f496a

SHA512
260f233db37445ab2a669868b663dcebdedf01b3b998bb69b82f73188cc9266d3459d517978136b2a0d0f9a6db9a64566f71c43ff6c5aceaeb29c7b5ca6ac5a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F39B5CFACECFDE48DB25BCA2231FAC6_F0E2901B5CB9DFCB03318B8D06C40A30

Filesize
412B

MD5
9ce39422d9a5496edc6f182530616e00

SHA1
b2528e856fd9dc6bdef1f49520d367293a258e4c

SHA256
9a05477d3172a1442bba2a05943fa2ead4613ee0900f2e6bd4852c42a25dc540

SHA512
77812d148c28661452fe4833d75b027d364f62c8420762dd3a26f443609bd8a68eca2663dcb6cdd446eaf3ee474237ee7928e0666005b49bc473b69c50eb6524

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Filesize
161KB

MD5
fea751116d26cdd3b5976bb20e746615

SHA1
cc451d9d4594c76717b69df84b14f4fce512503a

SHA256
ffcda5ceafb9d740ffb811bf221f1780c87a1ce6b1b2a5b4ba96905c1c9a8170

SHA512
9e09872223247f1849c98a1c7649ef68fa4eaac7f0c64484259b28df39ee09a941762c114824fbf09dd2dd3a1b4a569d5b09fd1d01b0f366b1c41a3e485ac081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\50d1d9d5-cf90-407c-820a-35e05bc06f2f.exe

Filesize
161KB

MD5
fea751116d26cdd3b5976bb20e746615

SHA1
cc451d9d4594c76717b69df84b14f4fce512503a

SHA256
ffcda5ceafb9d740ffb811bf221f1780c87a1ce6b1b2a5b4ba96905c1c9a8170

SHA512
9e09872223247f1849c98a1c7649ef68fa4eaac7f0c64484259b28df39ee09a941762c114824fbf09dd2dd3a1b4a569d5b09fd1d01b0f366b1c41a3e485ac081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\inst.exe

Filesize
144KB

MD5
6c13897aac76495646cb21a0f3026459

SHA1
3b852f19dfe1efc220356abce7b99a491cc44e3a

SHA256
174d6c4705673cfbd506f0cb916a766dd4e1a45f3ba1b124d4cda16fcd66582c

SHA512
93ca87000dc1ec560f153da999f7489b3a856ded0653e981667bc5a2af7f4f4a886a3f982c6e2db05351668bf8fc20f80d8a27591e49f4d9bc20a11a260d8051

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\inst.exe

Filesize
144KB

MD5
6c13897aac76495646cb21a0f3026459

SHA1
3b852f19dfe1efc220356abce7b99a491cc44e3a

SHA256
174d6c4705673cfbd506f0cb916a766dd4e1a45f3ba1b124d4cda16fcd66582c

SHA512
93ca87000dc1ec560f153da999f7489b3a856ded0653e981667bc5a2af7f4f4a886a3f982c6e2db05351668bf8fc20f80d8a27591e49f4d9bc20a11a260d8051

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCE34.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2780-140-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/2780-141-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/2780-144-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download
memory/2800-136-0x00007FFAD8540000-0x00007FFAD8F76000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing