b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4

General

Target

b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
Size

525KB
MD5

15f3926bfc62adb777e785feb988e3f0
SHA1

ca297feaedbc08355000cd3c7f2e3b285f6df06f
SHA256

b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4
SHA512

ec1bb9c9cdc5bc6f19c879050fdd392eafab47b5b5b6b92f4bf3c8a0cf09e025fc8f9317575b7d171f508b6c06945b1cd1fb12c580867f37cd4def4b6d630522
SSDEEP

12288:Si6fW93bu87hmkn+IHxIEAmAmhfWjkE4UQp:Sn6KihhBIfm/J

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4812	95547956.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3548-132-0x0000000014000000-0x0000000014011000-memory.dmp	upx
behavioral2/memory/3548-135-0x0000000014000000-0x0000000014011000-memory.dmp	upx
behavioral2/memory/3548-136-0x0000000014000000-0x0000000014011000-memory.dmp	upx
behavioral2/memory/3548-138-0x0000000014000000-0x0000000014011000-memory.dmp	upx
behavioral2/memory/4812-142-0x0000000014000000-0x000000001400F000-memory.dmp	upx
behavioral2/memory/4812-145-0x0000000014000000-0x000000001400F000-memory.dmp	upx
behavioral2/memory/4812-146-0x0000000014000000-0x000000001400F000-memory.dmp	upx
behavioral2/memory/4812-147-0x0000000014000000-0x000000001400F000-memory.dmp	upx
behavioral2/memory/3548-149-0x0000000014000000-0x0000000014011000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\95547956 = "C:\\ProgramData\\95547956\\95547956.exe"	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\95547956 = "C:\\ProgramData\\95547956\\95547956.exe"	95547956.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe"	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15537964 = "C:\\ProgramData\\15537964\\15537964.exe"	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4812	95547956.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4812	95547956.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4812	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	81
PID 3548 wrote to memory of 4812	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	81
PID 3548 wrote to memory of 4812	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	81
PID 3548 wrote to memory of 2868	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	82
PID 3548 wrote to memory of 2868	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	82
PID 3548 wrote to memory of 2868	3548	b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe	82

C:\Users\Admin\AppData\Local\Temp\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe
"C:\Users\Admin\AppData\Local\Temp\b20ec2bdfe468de9606dfa4276ade6bb95fad9b903b0ab1537c496e60ad8cdb4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548
- C:\ProgramData\95547956\95547956.exe
  C:\ProgramData\95547956\95547956.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\40555828.cmd" "
  2⤵
  PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\95547956\95547956.exe

Filesize
46KB

MD5
4d8eddeae0b397f9433f8df8534ac2e5

SHA1
16510a4a40f5e7b10bc419e2e21a7f62857b26a4

SHA256
ae3ec95252886ba58b85c58b1fc73fbd5cbd5c2fb108e39a9356c2246981e8f9

SHA512
d8421fcd7581193f3fa1e845c96ad0fd747acba772f98128dfd4ec68e6b607ee74ce3719db49e14f9b52afe44d352229d4e47b90f04d86fe8c0b7cae69e45731

Download Submit
C:\ProgramData\95547956\95547956.exe

Filesize
46KB

MD5
4d8eddeae0b397f9433f8df8534ac2e5

SHA1
16510a4a40f5e7b10bc419e2e21a7f62857b26a4

SHA256
ae3ec95252886ba58b85c58b1fc73fbd5cbd5c2fb108e39a9356c2246981e8f9

SHA512
d8421fcd7581193f3fa1e845c96ad0fd747acba772f98128dfd4ec68e6b607ee74ce3719db49e14f9b52afe44d352229d4e47b90f04d86fe8c0b7cae69e45731

Download Submit
C:\Users\Admin\AppData\Local\Temp\40555828.cmd

Filesize
325B

MD5
4cc15e0b11f9f09c2606d4ed4511aaf3

SHA1
dda0c8264df3233b6d9adff2403788daa87dc86b

SHA256
7444cda3b2c7fefcf3dc5c9be3c18bc1606866a3f6b2a2df90d549e979959a58

SHA512
f4660d79d1adc48d3372773c2f8435ffddcbcbd39c1bfb2eff469511bbe37d3f9f685930a3da0fa551b7324d2668a634f49241dbe03a499bd11beaebd2acef65

Download Submit
memory/3548-135-0x0000000014000000-0x0000000014011000-memory.dmp

Filesize
68KB

Download
memory/3548-136-0x0000000014000000-0x0000000014011000-memory.dmp

Filesize
68KB

Download
memory/3548-137-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/3548-138-0x0000000014000000-0x0000000014011000-memory.dmp

Filesize
68KB

Download
memory/3548-132-0x0000000014000000-0x0000000014011000-memory.dmp

Filesize
68KB

Download
memory/3548-149-0x0000000014000000-0x0000000014011000-memory.dmp

Filesize
68KB

Download
memory/4812-147-0x0000000014000000-0x000000001400F000-memory.dmp

Filesize
60KB

Download
memory/4812-146-0x0000000014000000-0x000000001400F000-memory.dmp

Filesize
60KB

Download
memory/4812-145-0x0000000014000000-0x000000001400F000-memory.dmp

Filesize
60KB

Download
memory/4812-142-0x0000000014000000-0x000000001400F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing