e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05

General

Target

e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe
Size

280KB
MD5

0c90de73cb1c3c5dc2d4df203bcfff07
SHA1

95c9e0f0fd19c20d26c56eb44245778fb3aee6f4
SHA256

e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05
SHA512

9b967357f1c08f909734fffb64bac25696a3762b0448a9bd5420f3057d4b5444fffd5ce47aa6eda288f57d4f52b52e0f99c9e86c1d1acfcec6b09d30cc8adebf
SSDEEP

6144:J3Bh+L4oAd4r3wi3R6JqJCAL4WsXz11PDhTAXBgoz:Jf+TAdQf49z6BgK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3116	encrypt.exe
3720	encrypt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 3720	3116	encrypt.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3244	3720	WerFault.exe	95
3516	3116	WerFault.exe	88
2300	3116	WerFault.exe	88

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	encrypt.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 3116	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	88
PID 4200 wrote to memory of 3116	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	88
PID 4200 wrote to memory of 3116	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	88
PID 4200 wrote to memory of 1872	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	93
PID 4200 wrote to memory of 1872	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	93
PID 4200 wrote to memory of 1872	4200	e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe	93
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95
PID 3116 wrote to memory of 3720	3116	encrypt.exe	95

C:\Users\Admin\AppData\Local\Temp\e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe
"C:\Users\Admin\AppData\Local\Temp\e24703edbc71118dc2a21a1d145147cea8be45a0895283f2cb0fee596a753a05.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\Desktop\encrypt.exe
  "C:\Users\Admin\Desktop\encrypt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\Desktop\encrypt.exe
    C:\Users\Admin\Desktop\encrypt.exe
    3⤵
    - Executes dropped EXE
    PID:3720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 12
      4⤵
      Program crash
      PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 524
    3⤵
    - Program crash
    PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 544
    3⤵
    - Program crash
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Pictures\1212921026.bat" "
  2⤵
  PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3116 -ip 3116
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3720 -ip 3720
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3116 -ip 3116
1⤵
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\encrypt.exe

Filesize
83KB

MD5
74ede9b41d87bddcf8f652293ecc53f9

SHA1
09681579c228c2be8aa548b76e16597519f255a1

SHA256
1f1fdafe2260baecdd6d7e1a688a430806fb6fde65aeae508b374ad754c03f63

SHA512
93f0b5bc2fe2390ca71cac708a5bbc49ffe4dad7f09927ce0e3fe5ec23a8dee5b9f87121b8044ee1ea4730be1937a01b3d1aa78cd25055b922cdeac7f61d4136

Download Submit
C:\Users\Admin\Desktop\encrypt.exe

Filesize
83KB

MD5
74ede9b41d87bddcf8f652293ecc53f9

SHA1
09681579c228c2be8aa548b76e16597519f255a1

SHA256
1f1fdafe2260baecdd6d7e1a688a430806fb6fde65aeae508b374ad754c03f63

SHA512
93f0b5bc2fe2390ca71cac708a5bbc49ffe4dad7f09927ce0e3fe5ec23a8dee5b9f87121b8044ee1ea4730be1937a01b3d1aa78cd25055b922cdeac7f61d4136

Download Submit
C:\Users\Admin\Desktop\encrypt.exe

Filesize
83KB

MD5
74ede9b41d87bddcf8f652293ecc53f9

SHA1
09681579c228c2be8aa548b76e16597519f255a1

SHA256
1f1fdafe2260baecdd6d7e1a688a430806fb6fde65aeae508b374ad754c03f63

SHA512
93f0b5bc2fe2390ca71cac708a5bbc49ffe4dad7f09927ce0e3fe5ec23a8dee5b9f87121b8044ee1ea4730be1937a01b3d1aa78cd25055b922cdeac7f61d4136

Download Submit
C:\Users\Admin\Pictures\1212921026.bat

Filesize
260B

MD5
ebdf79b6b0123ae1fc9ec49ce5fa7a92

SHA1
8e47a825d15cf6144db84335280dcb40f302054e

SHA256
94a8442919d3be3d674e413dc737be4797b65529a719ae86e44604226833605c

SHA512
7d15d5718b23133295d9e7a7c9a234d13bd587b2153670a187178f1786a27650c80d2bb109eb0189dc9bb2961f9c9d8b2373f61f507ad95bcf3c32965fc7a6b9

Download Submit
memory/3116-135-0x0000000000400000-0x0000000000409352-memory.dmp

Filesize
36KB

Download
memory/3116-145-0x0000000000400000-0x0000000000409352-memory.dmp

Filesize
36KB

Download
memory/3720-141-0x0000000013140000-0x0000000013183000-memory.dmp

Filesize
268KB

Download
memory/3720-142-0x0000000013140000-0x0000000013183000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing