a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca

General

Target

a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe
Size

202KB
MD5

e59ec66feda740973c7ab1fb8c6a2e81
SHA1

235a9d656647910648e134ef42e3cc36dd62a687
SHA256

a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca
SHA512

c2a5a4be9994a5239d57b8db16b97a484bd4fcf21f36ddafda7611e2aebad81d6cd5a44f55ac151c85f72eb63ab7e11bed5c894d34424c5cbc7f9085d025bb47
SSDEEP

3072:Pm3xAixt4HsHV9akIRZt6XL6TPixomP0yd+kBOPvIedIdutqqJPOI88vKiW+Ecwn:Pm3+m4qV2Kp0y5wPwEIQtqqtOIJX8es3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4292	inl42D7.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wbem\fxsst.dll	inl42D7.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiveMeeting\rarExts32.dat	inl42D7.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2040	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	83
PID 4612 wrote to memory of 2040	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	83
PID 4612 wrote to memory of 2040	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	83
PID 4612 wrote to memory of 4632	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	85
PID 4612 wrote to memory of 4632	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	85
PID 4612 wrote to memory of 4632	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	85
PID 4612 wrote to memory of 3276	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	87
PID 4612 wrote to memory of 3276	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	87
PID 4612 wrote to memory of 3276	4612	a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe	87
PID 4632 wrote to memory of 3772	4632	cmd.exe	88
PID 4632 wrote to memory of 3772	4632	cmd.exe	88
PID 4632 wrote to memory of 3772	4632	cmd.exe	88
PID 2040 wrote to memory of 4292	2040	cmd.exe	90
PID 2040 wrote to memory of 4292	2040	cmd.exe	90
PID 2040 wrote to memory of 4292	2040	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe
"C:\Users\Admin\AppData\Local\Temp\a0a633df06fee67b405e67a5aee39ecdf2722f6932c61c2426a1170c67009fca.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\inl42D7.tmp
    C:\Users\Admin\AppData\Local\Temp\inl42D7.tmp amd-k5p4g.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A0A633~1.EXE > nul
  2⤵
  PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amd-k5p4g.tmp

Filesize
763B

MD5
3e0894dbd05b27b148df2737884ea8e8

SHA1
91b50baad5dec9d14febf96722e28409346b5115

SHA256
65d08113cb9920fcf07aef4073d2d60f0deea7fdacb64b205217b46d69ff27ec

SHA512
5cb5015356acde2b538268d6997dccfe9d4be5454713df0351b69e38c524df48288e45a766d106901615f2ffba3e1036870e66e0fd0fa91ae851fd19501562e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl42D7.tmp

Filesize
172.6MB

MD5
dbffec36c9c6b0e686b98cf8b4d135eb

SHA1
e31114e3e2b727c1362bd3ae60ca5ca6d2255b95

SHA256
92bd460244ed2c27b603e17aa331b76b6fa09888101424d0153432d816ffc8a9

SHA512
186c2e28a692c48ead466361250e9688fc78c96abfc1fe3161ac57bd56e9893a4b542a21229b1108941063c98a4fb8b3d278251bb17e8ea9bfb3370ace7a2279

Download Submit
C:\Users\Admin\AppData\Local\Temp\inl42D7.tmp

Filesize
172.6MB

MD5
dbffec36c9c6b0e686b98cf8b4d135eb

SHA1
e31114e3e2b727c1362bd3ae60ca5ca6d2255b95

SHA256
92bd460244ed2c27b603e17aa331b76b6fa09888101424d0153432d816ffc8a9

SHA512
186c2e28a692c48ead466361250e9688fc78c96abfc1fe3161ac57bd56e9893a4b542a21229b1108941063c98a4fb8b3d278251bb17e8ea9bfb3370ace7a2279

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
59B

MD5
921f62e9dd0ed146b0feb86446d01720

SHA1
a7cfabe36d2e229650868a8cd766df2a3c0bf008

SHA256
948113f94a0a531ad2f152571b0e2a14bc9576af9f4b6a33bf886d0d8ddcd123

SHA512
23d8376969cfa3fbe65ac217309b093dee387b270fc6d5061de606730410ad6502aa15814ec2dfe46695c1f945e74c55bebaa6a822fbd76a00d7933e1f46f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/4292-147-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4292-148-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4612-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-134-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4612-133-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing