895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da

General

Target

895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe
Size

183KB
MD5

2caf48c146abfc475ddd1b923088d7b0
SHA1

cf717f2ad3de869b1cc1d5f531bc47fc0a62f807
SHA256

895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da
SHA512

5cb568a8c9e1232198ae8db980641d260e059172456936e6771cb44c7048d73fad7af878789803b7add8b77c0d2f717aceab9eb8deaf65f0a0db39aacc1b2821
SSDEEP

3072:f/ampeVe/rQIf3dx3Qx0kY9Y/XeVaqB+JPKmPJZFLmBKZ2PPT38xrHqDUEqg:fTpeVGrbtx3a0r9gWUfJPmBWxrfg

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	1568	rundll32.exe
41	1568	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
4776	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe

Loads dropped DLL 1 IoCs

pid	Process
1568	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4496	taskkill.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4776	1.exe
4776	1.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4776	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	80
PID 1824 wrote to memory of 4776	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	80
PID 1824 wrote to memory of 4776	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	80
PID 4776 wrote to memory of 4496	4776	1.exe	81
PID 4776 wrote to memory of 4496	4776	1.exe	81
PID 4776 wrote to memory of 4496	4776	1.exe	81
PID 4776 wrote to memory of 1568	4776	1.exe	83
PID 4776 wrote to memory of 1568	4776	1.exe	83
PID 4776 wrote to memory of 1568	4776	1.exe	83
PID 1824 wrote to memory of 1520	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	84
PID 1824 wrote to memory of 1520	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	84
PID 1824 wrote to memory of 1520	1824	895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe	84

C:\Users\Admin\AppData\Local\Temp\895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe
"C:\Users\Admin\AppData\Local\Temp\895795a48aa1af1680a3eac0e5d9a84dff25b6672fda4b7c76d49aed0fdfa4da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im KsafeTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Remoete.dll" WWWW
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Remoete.dll

Filesize
11.1MB

MD5
ff00925a771d82105ba108766387ba91

SHA1
e8b7ab497b1de756bc9b62d9b32e63be18dfbb36

SHA256
a7c094e689f20d24fa44c5cc9720b8b82a70ee395a585440e4d917c7c332a004

SHA512
4e0cfb9db42962c66e8d2b8faaea3ec4993a94b5509574807c767e3b7f373c61f0654d9f2ab8442b467ce29c8db5a67e3ffa4e8b8aa839a8d026d9d5e3b64129

Download Submit
C:\Remoete.dll

Filesize
11.1MB

MD5
ff00925a771d82105ba108766387ba91

SHA1
e8b7ab497b1de756bc9b62d9b32e63be18dfbb36

SHA256
a7c094e689f20d24fa44c5cc9720b8b82a70ee395a585440e4d917c7c332a004

SHA512
4e0cfb9db42962c66e8d2b8faaea3ec4993a94b5509574807c767e3b7f373c61f0654d9f2ab8442b467ce29c8db5a67e3ffa4e8b8aa839a8d026d9d5e3b64129

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
100.2MB

MD5
af762160eaecd6eac85f557a87fcd3e3

SHA1
b71396ae1cd107062d739330edc66573a1cb966f

SHA256
c9bb95b88ebd6ea0985cce6e44d1ad54eb878af9de41ad0e79b9d9a677b7751e

SHA512
e4a1ecaed5850fe1670183f4a56590a429500879c630de4029286a2fc6b5928a27c40a167eecfc0407c65042cbc6162821520ee2b40747714359ee111bb6a043

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
c83f8588bf4732209062125d5e09d03b

SHA1
c90614857e9d672a95559723801bd8b3354d8ca4

SHA256
232baff29e9dc8662e551558bc01e3e305b9392f773929a5f74c96825bb075cc

SHA512
12d557e310fe66a8078eb503c83e482949059f8cde96d4280e76ac97177e6ad4962f0072d860e3272f88b1c58e65e2f5833f897d4ccf6917ba73b15f19c401b7

Download Submit
memory/4776-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing