9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493

General

Target

9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe
Size

222KB
MD5

89019b583f7ee8d007d301c3eecbafea
SHA1

b7ba83a55349b23685aa3f7cd025bed80b501f68
SHA256

9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493
SHA512

223f9dba494dbf016c3ebc1f2b7bd02339b981b5825c47372bec8db85226f43ab3dcb861a8415f886ddc5900feb312866293270aa3bf41e16ed52e7a11e2427a
SSDEEP

6144:FSDBxGZwYQpOUJumHsi3/uB/wFrUvpnMPMhDX:QvEopJJlMO/u1GrUvYMZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2916	newgame.exe
1252	Memory.exe
1116	newgame.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 1116	2916	newgame.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Memory.ini	Memory.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	1116	WerFault.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	newgame.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2916	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	82
PID 1288 wrote to memory of 2916	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	82
PID 1288 wrote to memory of 2916	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	82
PID 1288 wrote to memory of 1252	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	83
PID 1288 wrote to memory of 1252	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	83
PID 1288 wrote to memory of 1252	1288	9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe	83
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84
PID 2916 wrote to memory of 1116	2916	newgame.exe	84

C:\Users\Admin\AppData\Local\Temp\9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe
"C:\Users\Admin\AppData\Local\Temp\9f5109253a26ee99104ed970dd0d6efbc58a70ca35b2fe6ef6678e48cb608493.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\newgame.exe
  "C:\Users\Admin\AppData\Local\Temp\newgame.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\newgame.exe
    C:\Users\Admin\AppData\Local\Temp\newgame.exe
    3⤵
    - Executes dropped EXE
    PID:1116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 452
      4⤵
      Program crash
      PID:1872
- C:\Users\Admin\AppData\Local\Temp\Memory.exe
  "C:\Users\Admin\AppData\Local\Temp\Memory.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1116 -ip 1116
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Memory.exe

Filesize
542KB

MD5
c77a21569238244c1b57f1a5ff51c3f0

SHA1
923958fe3f2f7aa703e3c2bab2ba635140600cce

SHA256
6946779ccbb71273fef48783284f1accb07b3d57ef2f7217e5eeb6ff5f6a445f

SHA512
2e3d942bc752cbbb50b4ec48a8a3ccb075504d818f2d3f0ffefe68c21759ac8456b63171a4338e2ee4b6caef37ef7bbe459c33e663b4ea039b163b1a46edb839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Memory.exe

Filesize
542KB

MD5
c77a21569238244c1b57f1a5ff51c3f0

SHA1
923958fe3f2f7aa703e3c2bab2ba635140600cce

SHA256
6946779ccbb71273fef48783284f1accb07b3d57ef2f7217e5eeb6ff5f6a445f

SHA512
2e3d942bc752cbbb50b4ec48a8a3ccb075504d818f2d3f0ffefe68c21759ac8456b63171a4338e2ee4b6caef37ef7bbe459c33e663b4ea039b163b1a46edb839

Download Submit
C:\Users\Admin\AppData\Local\Temp\newgame.exe

Filesize
123KB

MD5
18ee942a8c07a29252083a09ae6b05e4

SHA1
ccbd7c6e04206754fc682f71586deb833738582a

SHA256
efbca5e40c0313b58f0772c231cd3ecc4ec4258b162a643a94cab1c5c9615bb9

SHA512
d34b5b41ef22a4d7595d12227c41093bf13ee3687b6b8a964e774c8750684ba2e93d54e7f64e3dcc614f7e8f10bb6f0f966db75c9def6073c0d822e9fce6621b

Download Submit
C:\Users\Admin\AppData\Local\Temp\newgame.exe

Filesize
123KB

MD5
18ee942a8c07a29252083a09ae6b05e4

SHA1
ccbd7c6e04206754fc682f71586deb833738582a

SHA256
efbca5e40c0313b58f0772c231cd3ecc4ec4258b162a643a94cab1c5c9615bb9

SHA512
d34b5b41ef22a4d7595d12227c41093bf13ee3687b6b8a964e774c8750684ba2e93d54e7f64e3dcc614f7e8f10bb6f0f966db75c9def6073c0d822e9fce6621b

Download Submit
C:\Users\Admin\AppData\Local\Temp\newgame.exe

Filesize
123KB

MD5
18ee942a8c07a29252083a09ae6b05e4

SHA1
ccbd7c6e04206754fc682f71586deb833738582a

SHA256
efbca5e40c0313b58f0772c231cd3ecc4ec4258b162a643a94cab1c5c9615bb9

SHA512
d34b5b41ef22a4d7595d12227c41093bf13ee3687b6b8a964e774c8750684ba2e93d54e7f64e3dcc614f7e8f10bb6f0f966db75c9def6073c0d822e9fce6621b

Download Submit
memory/1116-141-0x0000000000400200-0x0000000000400400-memory.dmp

Filesize
512B

Download
memory/1116-143-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing