90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70

General

Target

90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe
Size

657KB
MD5

24d69a57fc6936a88cad6106398b8e37
SHA1

85e614665a806e795937629b67e7e98d234268aa
SHA256

90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70
SHA512

4c9f507e3391d54cd35d5ab9933401f18916decbb7fcf61950e28f9a93713ba34922286f63e074e30c536acb196b0c8271036d90c31bbad4c114fa5155050c17
SSDEEP

12288:tre4zLzM7RGvHHRrZyHQxDzCmAWdPOkQXgxWKQQWO6PfTP6rSiyoS3:tre4zLzM9Gf9EwxfCmldmkQXgxWLh9Tz

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	svcszic.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3140-132-0x0000000000400000-0x0000000001955000-memory.dmp	upx
behavioral2/memory/3140-133-0x0000000000400000-0x0000000001955000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe

Loads dropped DLL 1 IoCs

pid	Process
4224	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\msadotb.htm	svcszic.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\tb.dat	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\de-DE\svcszic.ini	svcszic.exe
File opened for modification	C:\Windows\ime\winxp.dat	cmd.exe
File created	C:\Windows\ime\svcszic.exe	cmd.exe
File opened for modification	C:\Windows\ime\svcszic.exe	cmd.exe
File created	C:\Windows\Debug\error.gg	cmd.exe
File opened for modification	C:\Windows\Debug\win.dat	cmd.exe
File created	C:\Windows\ime\scripts.ini	cmd.exe
File created	C:\Windows\ime\winxp.dat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4224	rundll32.exe
4224	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	svcszic.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2384	svcszic.exe
Token: SeIncBasePriorityPrivilege	2384	svcszic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	svcszic.exe
2384	svcszic.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2864	3140	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	83
PID 3140 wrote to memory of 2864	3140	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	83
PID 3140 wrote to memory of 2864	3140	90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe	83
PID 2864 wrote to memory of 1052	2864	cmd.exe	86
PID 2864 wrote to memory of 1052	2864	cmd.exe	86
PID 2864 wrote to memory of 1052	2864	cmd.exe	86
PID 2864 wrote to memory of 764	2864	cmd.exe	87
PID 2864 wrote to memory of 764	2864	cmd.exe	87
PID 2864 wrote to memory of 764	2864	cmd.exe	87
PID 2864 wrote to memory of 4224	2864	cmd.exe	88
PID 2864 wrote to memory of 4224	2864	cmd.exe	88
PID 2864 wrote to memory of 4224	2864	cmd.exe	88
PID 2864 wrote to memory of 2384	2864	cmd.exe	89
PID 2864 wrote to memory of 2384	2864	cmd.exe	89
PID 2864 wrote to memory of 2384	2864	cmd.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe
"C:\Users\Admin\AppData\Local\Temp\90c42317f49c11978f89c050312aa7af3df908090a97c04e27d04b389f848e70.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5469.tmp\sso.bat" "
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\winxp.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- - C:\Windows\ime\svcszic.exe
    C:\Windows\ime\svcszic.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5469.tmp\sso.bat

Filesize
2KB

MD5
324ad9a625d434e09152589fb88e73b5

SHA1
9fb1a51f9271818647d8dd869f1f0dc92c776843

SHA256
df2b9a6dabfef8b4c35218a402ec5dead538e8c7ba67ac1047c20a0e9ab9768d

SHA512
762fc29ee4cf1e09874d81dabaa5e60b2277d55ec8c55ca637be20d84a4ef21fb6fdf049bad4d2fab8b8d07b6e264d41733de07966e3c9da4cf451135d31a174

Download Submit
C:\Users\Admin\AppData\Local\Temp\5469.tmp\tb.dat

Filesize
11.1MB

MD5
a7487fe7ff0d3d0d1c404597ed00edfd

SHA1
634980623b2546eaeab922f2a3cf32e2bdcdf2f2

SHA256
30865d40cd692931b99e94a0bf064a247861d22285934ca691293ad2bb0a1a59

SHA512
bc09bc5407ab0899813b015153fb313167140f7ef032b8690ae65ca6438f5250677a2eab9fbc4388fd286009a9db3788b24b8d945236b01d0e768bf9d88f335a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5469.tmp\win.bat

Filesize
1KB

MD5
0c5774a46b89a9ac3258cf3924b7c94a

SHA1
6bd7f1de8a61ba65a81eb2d79eb7b2e59fa93846

SHA256
33f49f5e9835948701a8e093ea3a9792f4e5bd7ed4a1a55282c5e2bf06d37028

SHA512
00cfbcba2f6786b4b6f907ece399e56de84d30ece7e2f43f4a2fa961d79e5826c05b5233c1e8986da88e37bafd2b77e93c88c157f695e4ffca28af483cd1d00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5469.tmp\woti.dat

Filesize
10.2MB

MD5
60e1559e570e713cfbeedc442f53b767

SHA1
4a8801ac53137e7bc944b2b680cad87984ae3262

SHA256
b87fbafe7d945c2b79faaf1f7e50f670c4de3e3f2ab1ae145e7a5f863aa239ee

SHA512
c5a3d7426a062d2ce626a4fa051d46eae07f1f7064dcffec33bbaa979415cd4a94382dd7ab179a71f8d6c9d97536256d26cf6bfa6e67983e8bf4e66d5811b907

Download Submit
C:\Windows\IME\svcszic.exe

Filesize
11.1MB

MD5
a7487fe7ff0d3d0d1c404597ed00edfd

SHA1
634980623b2546eaeab922f2a3cf32e2bdcdf2f2

SHA256
30865d40cd692931b99e94a0bf064a247861d22285934ca691293ad2bb0a1a59

SHA512
bc09bc5407ab0899813b015153fb313167140f7ef032b8690ae65ca6438f5250677a2eab9fbc4388fd286009a9db3788b24b8d945236b01d0e768bf9d88f335a

Download Submit
C:\Windows\IME\winxp.dat

Filesize
10.2MB

MD5
60e1559e570e713cfbeedc442f53b767

SHA1
4a8801ac53137e7bc944b2b680cad87984ae3262

SHA256
b87fbafe7d945c2b79faaf1f7e50f670c4de3e3f2ab1ae145e7a5f863aa239ee

SHA512
c5a3d7426a062d2ce626a4fa051d46eae07f1f7064dcffec33bbaa979415cd4a94382dd7ab179a71f8d6c9d97536256d26cf6bfa6e67983e8bf4e66d5811b907

Download Submit
C:\Windows\ime\svcszic.exe

Filesize
11.1MB

MD5
a7487fe7ff0d3d0d1c404597ed00edfd

SHA1
634980623b2546eaeab922f2a3cf32e2bdcdf2f2

SHA256
30865d40cd692931b99e94a0bf064a247861d22285934ca691293ad2bb0a1a59

SHA512
bc09bc5407ab0899813b015153fb313167140f7ef032b8690ae65ca6438f5250677a2eab9fbc4388fd286009a9db3788b24b8d945236b01d0e768bf9d88f335a

Download Submit
C:\Windows\ime\winxp.dat

Filesize
10.2MB

MD5
60e1559e570e713cfbeedc442f53b767

SHA1
4a8801ac53137e7bc944b2b680cad87984ae3262

SHA256
b87fbafe7d945c2b79faaf1f7e50f670c4de3e3f2ab1ae145e7a5f863aa239ee

SHA512
c5a3d7426a062d2ce626a4fa051d46eae07f1f7064dcffec33bbaa979415cd4a94382dd7ab179a71f8d6c9d97536256d26cf6bfa6e67983e8bf4e66d5811b907

Download Submit
memory/3140-132-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/3140-133-0x0000000000400000-0x0000000001955000-memory.dmp

Filesize
21.3MB

Download
memory/4224-147-0x0000000074CE0000-0x0000000074DF9000-memory.dmp

Filesize
1.1MB

Download
memory/4224-148-0x0000000074CE0000-0x0000000074DF9000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads