b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a

General

Target

b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
Size

342KB
MD5

baf1fee0e938380ab16d67d8fcec4b40
SHA1

8fa87c7eff5b3a70a4b857475fc3ae505af0547f
SHA256

b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a
SHA512

27ac9a727fdf117ee778be622ced752263f21ba5d33167faa8ea00508a99c1e2d3b776e8327c85a2a0f0e3d2e537fdff6fcf81d3ffc23531a62fca6b4a9a20d2
SSDEEP

6144:YibqI59PpOPf201/z7pZu7SJvAXxUaW+:YibqI59Pk2cb7pYCoXxUO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3188	PreLoad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe

Loads dropped DLL 2 IoCs

pid	Process
3188	PreLoad.exe
3188	PreLoad.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ICSharpCode.SharpZipLib.dll	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
File created	C:\Windows\PreLoad.exe	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
File created	C:\Windows\ZZ.zip	PreLoad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	PreLoad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 3188	4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe	91
PID 4652 wrote to memory of 3188	4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe	91
PID 4652 wrote to memory of 3188	4652	b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe	91

C:\Users\Admin\AppData\Local\Temp\b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe
"C:\Users\Admin\AppData\Local\Temp\b656f6f681a35a8b91ca3159374f42d0fc54a33986eb49119e5dbdb4b515f87a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\PreLoad.exe
  "C:\Windows\PreLoad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Windows\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Windows\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Windows\PreLoad.exe

Filesize
17KB

MD5
6cd6061f8f90110f3358a6fc47a9eb6e

SHA1
d47e199423c41c136212920ae75d8fc132954256

SHA256
60eebc6991d11b317ef3e32faf38e2ac5b67f8f410540bd0fcac88d04a0af624

SHA512
817ca8bc0b1d19475f407cd11bd1f64bf1d25b2acff670518144214afd319d39f9f9794830e6deda3bca6978126012d99b56e95ced08dee495bf88ba8afcc757

Download Submit
C:\Windows\PreLoad.exe

Filesize
17KB

MD5
6cd6061f8f90110f3358a6fc47a9eb6e

SHA1
d47e199423c41c136212920ae75d8fc132954256

SHA256
60eebc6991d11b317ef3e32faf38e2ac5b67f8f410540bd0fcac88d04a0af624

SHA512
817ca8bc0b1d19475f407cd11bd1f64bf1d25b2acff670518144214afd319d39f9f9794830e6deda3bca6978126012d99b56e95ced08dee495bf88ba8afcc757

Download Submit
memory/3188-141-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3188-145-0x0000000005900000-0x0000000005934000-memory.dmp

Filesize
208KB

Download
memory/4652-137-0x0000000005540000-0x0000000005596000-memory.dmp

Filesize
344KB

Download
memory/4652-136-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4652-132-0x00000000005C0000-0x000000000061C000-memory.dmp

Filesize
368KB

Download
memory/4652-135-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/4652-134-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4652-133-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing