dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

General

Target

dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
Size

780KB
MD5

a548a295a9be7a551c68c55d004e7b80
SHA1

5327b8f9e2ec4028b87cad472e91abb6cec73783
SHA256

dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001
SHA512

4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22
SSDEEP

24576:pcTICFaA6zm9TEuCaelHWmQR54qEc5ysEwkzrYRQ+:paFXdYQ4qXqworYRQ+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4556	usnscv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background"	usnscv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	usnscv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1076	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	81
PID 5004 wrote to memory of 1076	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	81
PID 5004 wrote to memory of 1076	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	81
PID 1076 wrote to memory of 3268	1076	cmd.exe	83
PID 1076 wrote to memory of 3268	1076	cmd.exe	83
PID 1076 wrote to memory of 3268	1076	cmd.exe	83
PID 5004 wrote to memory of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84
PID 5004 wrote to memory of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84
PID 5004 wrote to memory of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84
PID 5004 wrote to memory of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84
PID 5004 wrote to memory of 4556	5004	dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe	84

C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe
"C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\winupdate.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy "C:\Users\Admin\AppData\Local\Temp\dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001.exe" "C:\Users\Admin\AppData\Local\\usnscv.exe"
    3⤵
    PID:3268
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.bat

Filesize
180B

MD5
3f6e7bb4566261ebcf5006ad2dcd890f

SHA1
2bd4620b3f16a8914a808ce8bbc42dbd3e1808ba

SHA256
09ec06d7b58b8defc991147af5310a643fe7e73d04286c3589611f902ec10eb5

SHA512
8f4ee203a56460206b01fde5be79d42d16bbea4815e37e5b54572afb85d3d996e2b87a082f5a3aab95533bfe367cace0d5a49bfa19526d94509cc20eb548ac7e

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
780KB

MD5
a548a295a9be7a551c68c55d004e7b80

SHA1
5327b8f9e2ec4028b87cad472e91abb6cec73783

SHA256
dd8a41fe1e525ee5e4a1071223ceea915e0030d7cab7c73a1327f6db17ab4001

SHA512
4bbbf9b3dcc0426d05b65de22b4f999afc76fc382908016f4871f96d3d5f88b6bddcb93d875160253e4111d8ca4e7db5dc8a05c13f8f5319478c8f1abeac5c22

Download Submit
memory/4556-145-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-148-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-136-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-140-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-143-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-144-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-147-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-149-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-151-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-150-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-146-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-152-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-153-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-154-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-155-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4556-156-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing