e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9

General

Target

e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe
Size

654KB
MD5

dc6c75d0b7fccf901417f57c3c711f8b
SHA1

214f6a4e029a5bcc60735baa186e13ccd60f5975
SHA256

e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9
SHA512

0fff3bb777c28d6b21a3a0311437c26c44f028d49f0a5fd6780cedc6259c76d17adf7f259c298a40370c7b983ececd288239bb75bbfa969fc2e0516180e5e732
SSDEEP

12288:wrmZGB/ZxZ2jcrRKpzqQDaDQx76kvsz3J1R7JiYitaLoSy:wr3VZxZ2C8zqQ+QV6s6Z1N8V

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3668	svchrpx.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2444-132-0x0000000000400000-0x0000000001954000-memory.dmp	upx
behavioral2/memory/2444-148-0x0000000000400000-0x0000000001954000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe

Loads dropped DLL 1 IoCs

pid	Process
4656	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\msadotb.htm	svchrpx.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Debug\error.gg	cmd.exe
File created	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\winxp.dat	cmd.exe
File opened for modification	C:\Windows\ime\svchrpx.exe	cmd.exe
File opened for modification	C:\Windows\ime\en-US\svchrpx.ini	svchrpx.exe
File opened for modification	C:\Windows\Debug\win.dat	cmd.exe
File opened for modification	C:\Windows\Debug\tb.dat	cmd.exe
File created	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe
File created	C:\Windows\ime\svchrpx.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3320	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4656	rundll32.exe
4656	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3668	svchrpx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	tasklist.exe
Token: 33	3668	svchrpx.exe
Token: SeIncBasePriorityPrivilege	3668	svchrpx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3668	svchrpx.exe
3668	svchrpx.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3628	2444	e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe	83
PID 2444 wrote to memory of 3628	2444	e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe	83
PID 2444 wrote to memory of 3628	2444	e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe	83
PID 3628 wrote to memory of 2032	3628	cmd.exe	86
PID 3628 wrote to memory of 2032	3628	cmd.exe	86
PID 3628 wrote to memory of 2032	3628	cmd.exe	86
PID 3628 wrote to memory of 8	3628	cmd.exe	87
PID 3628 wrote to memory of 8	3628	cmd.exe	87
PID 3628 wrote to memory of 8	3628	cmd.exe	87
PID 3628 wrote to memory of 3320	3628	cmd.exe	89
PID 3628 wrote to memory of 3320	3628	cmd.exe	89
PID 3628 wrote to memory of 3320	3628	cmd.exe	89
PID 3628 wrote to memory of 32	3628	cmd.exe	88
PID 3628 wrote to memory of 32	3628	cmd.exe	88
PID 3628 wrote to memory of 32	3628	cmd.exe	88
PID 3628 wrote to memory of 4656	3628	cmd.exe	90
PID 3628 wrote to memory of 4656	3628	cmd.exe	90
PID 3628 wrote to memory of 4656	3628	cmd.exe	90
PID 3628 wrote to memory of 3668	3628	cmd.exe	91
PID 3628 wrote to memory of 3668	3628	cmd.exe	91
PID 3628 wrote to memory of 3668	3628	cmd.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe
"C:\Users\Admin\AppData\Local\Temp\e1c6c9cde48689a2658fb0551202ca5ebadca361588681841815507a34cfe1c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BA6B.tmp\sso.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:8
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "ravmond.exe"
    3⤵
    PID:32
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- - C:\Windows\ime\svchrpx.exe
    C:\Windows\ime\svchrpx.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BA6B.tmp\sso.bat

Filesize
1KB

MD5
87ec8415dca590be1f38a046c1712670

SHA1
1f7e1d8402a896172e166bd140bc2244df3e8dc1

SHA256
7da9f7ec467b93e536f419b762557f04c50f8b830adcc55d407c4832744f376e

SHA512
104cb0980f2f3b7a8b36822326b9fb2e14d4e5e4adfeff12566592c114eae9955ab8f5a498e83f9e212365cf77e6cc0c1d299f8a83dcf5cf63f7e14439a2ca02

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA6B.tmp\tb.dat

Filesize
11.1MB

MD5
c5bc1a8543c56113bc75cf6d2d265e8d

SHA1
d3b3f023bd869c34ac04ece604739c78a0fc50ca

SHA256
962db84d40e2263e16eb4d878cfbaa14e33e5e8654129f21f048e2870c994065

SHA512
e3e30d781e1bcba3c86653f2202d0de1f2ee613590053134cd33488d05ba64c2054235b2187a4ece1b618872394f90cfcf4bfa9c6b5df3703d1b8568bf019ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA6B.tmp\win.bat

Filesize
1KB

MD5
c48370acb2152b96f50eed42c5e0339b

SHA1
649f98316924a75adc4167df424946d34cd0db19

SHA256
b26417db14dc4acf04e19cbb0fddb22a2b5c427c7a5e586878cd1d1a746678dc

SHA512
2f9c966aca621018d039f030f0d5e147d43ed72c0fffa1586d2400f2baf0019201dd2fc5eead557694387f8ae42b9a3820c188120a4db2161d9485e8d7290219

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA6B.tmp\woti.dat

Filesize
10.2MB

MD5
fd8ce673459a691009504674a0b113b7

SHA1
71e459ad5cd23922c04a9620e7df544ee3666854

SHA256
8c9fd1124bdcf6d8a90eb3ff26cfa5c6ba08d157062055dba7528b15d90bd12b

SHA512
de4a445bbf2764697aba66d2ab897aae2cb71e93dbcffac32da25d8e987cf37f9df394465182d9288a7ea8b338615837d39c89e57ac95fab3b3c579cbc6b08f1

Download Submit
C:\Windows\IME\svchrpx.exe

Filesize
11.1MB

MD5
c5bc1a8543c56113bc75cf6d2d265e8d

SHA1
d3b3f023bd869c34ac04ece604739c78a0fc50ca

SHA256
962db84d40e2263e16eb4d878cfbaa14e33e5e8654129f21f048e2870c994065

SHA512
e3e30d781e1bcba3c86653f2202d0de1f2ee613590053134cd33488d05ba64c2054235b2187a4ece1b618872394f90cfcf4bfa9c6b5df3703d1b8568bf019ead

Download Submit
C:\Windows\IME\winxp.dat

Filesize
10.2MB

MD5
fd8ce673459a691009504674a0b113b7

SHA1
71e459ad5cd23922c04a9620e7df544ee3666854

SHA256
8c9fd1124bdcf6d8a90eb3ff26cfa5c6ba08d157062055dba7528b15d90bd12b

SHA512
de4a445bbf2764697aba66d2ab897aae2cb71e93dbcffac32da25d8e987cf37f9df394465182d9288a7ea8b338615837d39c89e57ac95fab3b3c579cbc6b08f1

Download Submit
C:\Windows\ime\svchrpx.exe

Filesize
11.1MB

MD5
c5bc1a8543c56113bc75cf6d2d265e8d

SHA1
d3b3f023bd869c34ac04ece604739c78a0fc50ca

SHA256
962db84d40e2263e16eb4d878cfbaa14e33e5e8654129f21f048e2870c994065

SHA512
e3e30d781e1bcba3c86653f2202d0de1f2ee613590053134cd33488d05ba64c2054235b2187a4ece1b618872394f90cfcf4bfa9c6b5df3703d1b8568bf019ead

Download Submit
C:\Windows\ime\winxp.dat

Filesize
10.2MB

MD5
fd8ce673459a691009504674a0b113b7

SHA1
71e459ad5cd23922c04a9620e7df544ee3666854

SHA256
8c9fd1124bdcf6d8a90eb3ff26cfa5c6ba08d157062055dba7528b15d90bd12b

SHA512
de4a445bbf2764697aba66d2ab897aae2cb71e93dbcffac32da25d8e987cf37f9df394465182d9288a7ea8b338615837d39c89e57ac95fab3b3c579cbc6b08f1

Download Submit
memory/2444-132-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/2444-148-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/4656-149-0x0000000073BA0000-0x0000000073CB9000-memory.dmp

Filesize
1.1MB

Download
memory/4656-150-0x0000000073BA0000-0x0000000073CB9000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads