60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762

General

Target

60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
Size

200KB
MD5

250cecf9e1f03c3c9f0ba9e445ca86e0
SHA1

b46fa031731c7d288b33baa9f4b24a2da35aa8d9
SHA256

60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762
SHA512

ec259b4e789641b94956b3040655de18550c421d3cb13e41e6fd3f41da65b08dcf08b28086b9979afee75650e73fe8672f6d5d9f74f0bd28dd1368dde57e7814
SSDEEP

3072:VSL/4C3y4CpCfCGCCOCwC9CvCFCfCLCvCUCLC2FInROUSRSGSuSQSmSNS4SQSsSh:mv3yGFInRO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
604	hiemaal.exe
3636	yeado.exe
1244	jpfex.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	hiemaal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	yeado.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
604	hiemaal.exe
604	hiemaal.exe
3636	yeado.exe
3636	yeado.exe
1244	jpfex.exe
1244	jpfex.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
604	hiemaal.exe
3636	yeado.exe
1244	jpfex.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 604	1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe	81
PID 1388 wrote to memory of 604	1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe	81
PID 1388 wrote to memory of 604	1388	60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe	81
PID 604 wrote to memory of 3636	604	hiemaal.exe	82
PID 604 wrote to memory of 3636	604	hiemaal.exe	82
PID 604 wrote to memory of 3636	604	hiemaal.exe	82
PID 3636 wrote to memory of 1244	3636	yeado.exe	83
PID 3636 wrote to memory of 1244	3636	yeado.exe	83
PID 3636 wrote to memory of 1244	3636	yeado.exe	83

C:\Users\Admin\AppData\Local\Temp\60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe
"C:\Users\Admin\AppData\Local\Temp\60e8bb55015d4a38161a31731c67aa0475886eedbaa32fcc69a401570334d762.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\hiemaal.exe
  "C:\Users\Admin\hiemaal.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Users\Admin\yeado.exe
    "C:\Users\Admin\yeado.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\jpfex.exe
      "C:\Users\Admin\jpfex.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hiemaal.exe

Filesize
200KB

MD5
8c9c0e89e2e6ab41859de23ad860d5c2

SHA1
1e5eef6fba3c37a2466d03194b1e19e5e5e36aa4

SHA256
500f9f47144c05deb42044528f2533b0c0280e93f603fb3634fedd26a7de301d

SHA512
eb25349ae10a5c7644155541cccf10cc9742416d359ebe7f87a73bfa865aaf5b676e8a45081f7f05bcafbe758a7090ee1f188046b0c8aba1c22dafca90dee7de

Download Submit
C:\Users\Admin\hiemaal.exe

Filesize
200KB

MD5
8c9c0e89e2e6ab41859de23ad860d5c2

SHA1
1e5eef6fba3c37a2466d03194b1e19e5e5e36aa4

SHA256
500f9f47144c05deb42044528f2533b0c0280e93f603fb3634fedd26a7de301d

SHA512
eb25349ae10a5c7644155541cccf10cc9742416d359ebe7f87a73bfa865aaf5b676e8a45081f7f05bcafbe758a7090ee1f188046b0c8aba1c22dafca90dee7de

Download Submit
C:\Users\Admin\jpfex.exe

Filesize
200KB

MD5
27299cb449b0929238acd5f757677ecb

SHA1
00d163af0c3ecad7bbdc525e34a9ff8e7387d686

SHA256
e2ccaedc01fdddea0c3409f78b6e219d61c540dbc4d9790642c32fb4a7713515

SHA512
41548f4c7861f5c4549fe618117e88ec5f5f46c1cb6fa16ef45e1cf603f1d4b073f415251edcdccfbdda45879db9f524e4afc1c06c5199bce665cfaf109425f2

Download Submit
C:\Users\Admin\jpfex.exe

Filesize
200KB

MD5
27299cb449b0929238acd5f757677ecb

SHA1
00d163af0c3ecad7bbdc525e34a9ff8e7387d686

SHA256
e2ccaedc01fdddea0c3409f78b6e219d61c540dbc4d9790642c32fb4a7713515

SHA512
41548f4c7861f5c4549fe618117e88ec5f5f46c1cb6fa16ef45e1cf603f1d4b073f415251edcdccfbdda45879db9f524e4afc1c06c5199bce665cfaf109425f2

Download Submit
C:\Users\Admin\yeado.exe

Filesize
200KB

MD5
e526cd9ed8fcbdb8df03a204ba3a202a

SHA1
6000647539b74b17964a27446743ad42b7184bf2

SHA256
d1d969a367a733da16be55dafa488166780ec60b7298aa61ed124fe84b059bbe

SHA512
44e715991742195db81eb9a18264fc84b68f239dd456bc4141fcb377b02fc9a7a2ea5fdfc3d2e8141e1f10a2e321b62ebf643bcdcffa053b25cc5698be8d617a

Download Submit
C:\Users\Admin\yeado.exe

Filesize
200KB

MD5
e526cd9ed8fcbdb8df03a204ba3a202a

SHA1
6000647539b74b17964a27446743ad42b7184bf2

SHA256
d1d969a367a733da16be55dafa488166780ec60b7298aa61ed124fe84b059bbe

SHA512
44e715991742195db81eb9a18264fc84b68f239dd456bc4141fcb377b02fc9a7a2ea5fdfc3d2e8141e1f10a2e321b62ebf643bcdcffa053b25cc5698be8d617a

Download Submit
memory/604-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/604-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1388-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing