a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a

General

Target

a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
Size

17KB
MD5

682322be78c09391a2498fff0b68b26e
SHA1

fdfcd40ad53875b872ee0d184b10a7b4028d877d
SHA256

a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a
SHA512

f746be52f5ea5b1ac7e8a12e710911922b5bab142c6c5fe1ded61d6aba563c2a36c59b976285b9a3f4e791111e15569d7d0970d63b4458adcaa7bb87889f12a2
SSDEEP

384:c2CXSCCyEl3w5E3sxJg9OVkMlOpnAQxmatqGfry6LUq:Nysw5E32cOVkMl+AQxzq0ry0

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/936-137-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
372	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sys.tmp	rundll32.exe
File opened for modification	C:\Windows\sys.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "regedit.exe /s \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5020	regedit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2080	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	80
PID 936 wrote to memory of 2080	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	80
PID 936 wrote to memory of 2080	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	80
PID 936 wrote to memory of 2536	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	81
PID 936 wrote to memory of 2536	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	81
PID 936 wrote to memory of 2536	936	a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe	81
PID 2080 wrote to memory of 372	2080	cmd.exe	84
PID 2080 wrote to memory of 372	2080	cmd.exe	84
PID 2080 wrote to memory of 372	2080	cmd.exe	84
PID 372 wrote to memory of 4668	372	rundll32.exe	85
PID 372 wrote to memory of 4668	372	rundll32.exe	85
PID 372 wrote to memory of 4668	372	rundll32.exe	85
PID 4668 wrote to memory of 5020	4668	cmd.exe	87
PID 4668 wrote to memory of 5020	4668	cmd.exe	87
PID 4668 wrote to memory of 5020	4668	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
"C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\zt2.tmp1 St C:\Users\Admin\AppData\Local\Temp\a379476058879b10ca78cf12af211667b68080c16358d17cefe3278236e3c75a.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\a.reg
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\regedit.exe
        
        "regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\a.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\del.bat
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.reg

Filesize
152B

MD5
b100f5324ef74ded0b998e64d07a2e19

SHA1
40b0d7f51bf2dd8451f1b723d21355c471a5fa46

SHA256
3db613d24a75ae220891698c055e1c580a42e58564f568a0510db87581cc2042

SHA512
c12391bb37c334074f7d7e1257b6364fd5cbce848e0a8fe15b8326f54fd9568fe3baec58618c4334027a774a06a08ec249cb71db925c1f85feee6a3d3a816c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
400B

MD5
990c5a4e5c0d1661df2a1b0d48e605ba

SHA1
ce4488ca3f405a1bb2011fd88ce03ac2cbca0ca9

SHA256
ac6e2468883791fd0d514efd912169089db872e38d66d96a5321a3ebe6d9ee01

SHA512
0d0fc16eb0cc9e1afa05ec1183a25ff408716ee99a240d7dd994de50339847ccf4ea6caf8d06c2353747ddd5ddd5c32cb3ca1cbdd36b86b22adf5079d5ea0321

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp

Filesize
36KB

MD5
c3331253547a5934a42016f5c7fa46f1

SHA1
cb2140faf5c0c827d92c5f8692936a611bdbb6e2

SHA256
d808a5ce53a0811205074b9123317bf6776d8ca805b54e229528ceb1d908e951

SHA512
635bbf5a05ebee063b59f96ef21a779783c9aaea77c306a802fa44a2ff5cbaa135c74895e010b6249db869d93a8b5dcaee6d8e5dd57659eb84a7582650bd90bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp1

Filesize
36KB

MD5
c3331253547a5934a42016f5c7fa46f1

SHA1
cb2140faf5c0c827d92c5f8692936a611bdbb6e2

SHA256
d808a5ce53a0811205074b9123317bf6776d8ca805b54e229528ceb1d908e951

SHA512
635bbf5a05ebee063b59f96ef21a779783c9aaea77c306a802fa44a2ff5cbaa135c74895e010b6249db869d93a8b5dcaee6d8e5dd57659eb84a7582650bd90bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt2.tmp1

Filesize
36KB

MD5
c3331253547a5934a42016f5c7fa46f1

SHA1
cb2140faf5c0c827d92c5f8692936a611bdbb6e2

SHA256
d808a5ce53a0811205074b9123317bf6776d8ca805b54e229528ceb1d908e951

SHA512
635bbf5a05ebee063b59f96ef21a779783c9aaea77c306a802fa44a2ff5cbaa135c74895e010b6249db869d93a8b5dcaee6d8e5dd57659eb84a7582650bd90bf

Download Submit
memory/936-137-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing