d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66

General

Target

d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe
Size

884KB
MD5

3cd7d390038e26560ea16c703f2463bc
SHA1

540d2ab5323d8d8b991a0a725390a92fa97c50e2
SHA256

d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66
SHA512

38bc41d07c3a1b564b0118cef45514a113c5c0893369b9870ed16ff4dc7f01170ea82deafacd753070a618f21d6140d4af0df156e20dc56f3e6d9e5edd5cb8bc
SSDEEP

24576:pQGQo8na9O5udb/rYi0qoYPSupiA0UyQeBJdHiQzm:Br8abZUXa1IUyQiiQK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5072	hkcmd.exe
1904	pB0T.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f63-159.dat	upx
behavioral2/files/0x0006000000022f63-160.dat	upx
behavioral2/memory/1904-163-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral2/memory/1904-165-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	hkcmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcmd = "\"C:\\Users\\Admin\\AppData\\Local\\hkcmd.exe\" /background"	hkcmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 488 set thread context of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	pB0T.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 488 wrote to memory of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78
PID 488 wrote to memory of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78
PID 488 wrote to memory of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78
PID 488 wrote to memory of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78
PID 488 wrote to memory of 5072	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	78
PID 488 wrote to memory of 1904	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	79
PID 488 wrote to memory of 1904	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	79
PID 488 wrote to memory of 1904	488	d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe	79
PID 1904 wrote to memory of 2112	1904	pB0T.exe	80
PID 1904 wrote to memory of 2112	1904	pB0T.exe	80
PID 1904 wrote to memory of 2112	1904	pB0T.exe	80

C:\Users\Admin\AppData\Local\Temp\d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe
"C:\Users\Admin\AppData\Local\Temp\d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\hkcmd.exe
  "C:\Users\Admin\AppData\Local\hkcmd.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5072
- C:\Users\Admin\AppData\Local\pB0T.exe
  "C:\Users\Admin\AppData\Local\pB0T.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s tabctl32.ocx
    3⤵
    PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hkcmd.exe

Filesize
884KB

MD5
3cd7d390038e26560ea16c703f2463bc

SHA1
540d2ab5323d8d8b991a0a725390a92fa97c50e2

SHA256
d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66

SHA512
38bc41d07c3a1b564b0118cef45514a113c5c0893369b9870ed16ff4dc7f01170ea82deafacd753070a618f21d6140d4af0df156e20dc56f3e6d9e5edd5cb8bc

Download Submit
C:\Users\Admin\AppData\Local\hkcmd.exe

Filesize
884KB

MD5
3cd7d390038e26560ea16c703f2463bc

SHA1
540d2ab5323d8d8b991a0a725390a92fa97c50e2

SHA256
d2e1199c7ed7260ffb0bd5b16bdbd0b54d8d72313932f6f52e19d4155b613e66

SHA512
38bc41d07c3a1b564b0118cef45514a113c5c0893369b9870ed16ff4dc7f01170ea82deafacd753070a618f21d6140d4af0df156e20dc56f3e6d9e5edd5cb8bc

Download Submit
C:\Users\Admin\AppData\Local\pB0T.exe

Filesize
170KB

MD5
1d8c078e0d13ae042ffb7d878b392bfe

SHA1
6ca7010394f928024346cf545d8ecff63a2abcf4

SHA256
135b36087cbf16efa198264dd7ea07afa9c80363b1ff8d93d87dd756f8ff763f

SHA512
4ca8987592aca43a6d9b6fd7e50c43d2c8bc4382726355462d700e6dc3e61c1dbaa53651e39cd8a8515996e22a507ddd268489c6f15f1cff9b2e2a85e57956d4

Download Submit
C:\Users\Admin\AppData\Local\pB0T.exe

Filesize
170KB

MD5
1d8c078e0d13ae042ffb7d878b392bfe

SHA1
6ca7010394f928024346cf545d8ecff63a2abcf4

SHA256
135b36087cbf16efa198264dd7ea07afa9c80363b1ff8d93d87dd756f8ff763f

SHA512
4ca8987592aca43a6d9b6fd7e50c43d2c8bc4382726355462d700e6dc3e61c1dbaa53651e39cd8a8515996e22a507ddd268489c6f15f1cff9b2e2a85e57956d4

Download Submit
memory/1904-165-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1904-163-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5072-148-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-152-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-143-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-147-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-150-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-149-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-151-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-156-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-155-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-154-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-153-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-157-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-133-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5072-166-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing