94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62

General

Target

94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
Size

155KB
MD5

ce860ed9325bb438879533e4bbd542af
SHA1

7a812e759eef17be14332a647d95236031ce9f65
SHA256

94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62
SHA512

61cd7b468ca818cc61a57146b444205ca1149b73167a45652bd9ddb2c2b8b259b797325686707e736ae536a40bc4f9242c3311364d13b5745c9e7498cf3c420c
SSDEEP

3072:dzNWMKKRZYcyObK91C8sV6Xmoo4LEpYHLFwKo4rB5MTXndUdi3D:dZuNObR8sVImcyYHLFgQodUMz

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2304	DosRar.exe
3972	ok.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e1f-134.dat	upx
behavioral2/files/0x0007000000022e1f-133.dat	upx
behavioral2/memory/2304-135-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000022e20-139.dat	upx
behavioral2/files/0x0008000000022e20-140.dat	upx
behavioral2/memory/2304-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3972-144-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/2304-145-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinRAR\DosRar.exe	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
File opened for modification	C:\Program Files (x86)\WinRAR	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
File created	C:\Program Files (x86)\ok.exe	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
File opened for modification	C:\Program Files (x86)\ok.exe	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
File created	C:\Program Files (x86)\Internet Explorer\smss.exe	DosRar.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\smss.exe	DosRar.exe
File created	C:\Program Files (x86)\NetMeeting\Isinter.gif	DosRar.exe
File created	C:\Program Files (x86)\__tmp_rar_sfx_access_check_240567953	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
File opened for modification	C:\Program Files (x86)\WinRAR\DosRar.exe	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2304	DosRar.exe
3972	ok.exe
2304	DosRar.exe
2304	DosRar.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 2304	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	79
PID 4340 wrote to memory of 2304	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	79
PID 4340 wrote to memory of 2304	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	79
PID 4340 wrote to memory of 3972	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	80
PID 4340 wrote to memory of 3972	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	80
PID 4340 wrote to memory of 3972	4340	94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe	80

C:\Users\Admin\AppData\Local\Temp\94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe
"C:\Users\Admin\AppData\Local\Temp\94de91e9dfb877dcdae7f2ebefdfa8b28226ca643f425eaa09a49dad35b3de62.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Program Files (x86)\WinRar\DosRar.exe
  "C:\Program Files (x86)\WinRar\DosRar.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Program Files (x86)\ok.exe
  "C:\Program Files (x86)\ok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\DosRar.exe

Filesize
64KB

MD5
3dd5ecea38f8f9f7fd0f349d163d6357

SHA1
37d7186a2e99447947cb29cbd43f688dced62e54

SHA256
c7bc2eded99e55861b9d0a8111e512cb67a90db6551a9128220fc1cd0abf94a3

SHA512
fbb3e10ca514f0ba3bf3632f108e00da7101697bb53153d02036213c38bb9d962093c4779480efb9138955cf1a5af4d824e5b423488cf908446d516263e80ac1

Download Submit
C:\Program Files (x86)\WinRar\DosRar.exe

Filesize
64KB

MD5
3dd5ecea38f8f9f7fd0f349d163d6357

SHA1
37d7186a2e99447947cb29cbd43f688dced62e54

SHA256
c7bc2eded99e55861b9d0a8111e512cb67a90db6551a9128220fc1cd0abf94a3

SHA512
fbb3e10ca514f0ba3bf3632f108e00da7101697bb53153d02036213c38bb9d962093c4779480efb9138955cf1a5af4d824e5b423488cf908446d516263e80ac1

Download Submit
C:\Program Files (x86)\ok.exe

Filesize
13KB

MD5
b13d0fc719968715fc0e3fd2e960769c

SHA1
3ff871966c7df07a8314dad114071db07c482fc6

SHA256
02c14dc66779f66102b6d21be3fb6ecac4f1da4752edf4ae5b01e4ec4d8392a8

SHA512
6e59f7314760de3750692f91c046287233b99a99f9e4fdd0777da33f801f2a21dc3c1cea2690be80435bc164e880d332ecd5604e7a7f7a3d14e86d19519b1d36

Download Submit
C:\Program Files (x86)\ok.exe

Filesize
13KB

MD5
b13d0fc719968715fc0e3fd2e960769c

SHA1
3ff871966c7df07a8314dad114071db07c482fc6

SHA256
02c14dc66779f66102b6d21be3fb6ecac4f1da4752edf4ae5b01e4ec4d8392a8

SHA512
6e59f7314760de3750692f91c046287233b99a99f9e4fdd0777da33f801f2a21dc3c1cea2690be80435bc164e880d332ecd5604e7a7f7a3d14e86d19519b1d36

Download Submit
memory/2304-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2304-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2304-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3972-144-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing