8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c

General

Target

8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe
Size

667KB
MD5

516a920bc57b5ff29b68d3375cb896f2
SHA1

603772696dbc927a5fc33ae6e70e0f9312ecd374
SHA256

8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c
SHA512

a7e0d496752a7cf3ec6defbaa1ac8472cf2dfcf3490003af7b8c1ecc3d9970a9d73c071f7b8ff54db3e8e1c75f18797f12e8390746bce5cd75041882cabe8f57
SSDEEP

12288:jtCtt8pdf8TWH9Ucl3X5BKYIiqQnKIt1s03NdY3333OdLLmqSwEFZb:jyt8phH9Ucla14nKr0ry3sLLT32Z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2900	patch.exe
4376	456.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4020	4376	WerFault.exe	81

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	456.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2900	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	79
PID 2620 wrote to memory of 2900	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	79
PID 2620 wrote to memory of 2900	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	79
PID 2620 wrote to memory of 4376	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	81
PID 2620 wrote to memory of 4376	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	81
PID 2620 wrote to memory of 4376	2620	8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe	81
PID 2900 wrote to memory of 5020	2900	patch.exe	82
PID 2900 wrote to memory of 5020	2900	patch.exe	82
PID 2900 wrote to memory of 5020	2900	patch.exe	82
PID 5020 wrote to memory of 4940	5020	cmd.exe	83
PID 5020 wrote to memory of 4940	5020	cmd.exe	83
PID 5020 wrote to memory of 4940	5020	cmd.exe	83
PID 5020 wrote to memory of 1736	5020	cmd.exe	84
PID 5020 wrote to memory of 1736	5020	cmd.exe	84
PID 5020 wrote to memory of 1736	5020	cmd.exe	84
PID 1736 wrote to memory of 1312	1736	cmd.exe	85
PID 1736 wrote to memory of 1312	1736	cmd.exe	85
PID 1736 wrote to memory of 1312	1736	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe
"C:\Users\Admin\AppData\Local\Temp\8bae67b82bddf673f57fa8015f5af666d0dbd1eac8ad3b3aa405a8f65d21d05c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\patch.exe
  "C:\Users\Admin\AppData\Local\Temp\patch.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2900C6MU.bat" "C:\Users\Admin\AppData\Local\Temp\patch.exe" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\mode.com
      mode con: cols=49 lines=17
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
        5⤵
        
        PID:1312
- C:\Users\Admin\AppData\Local\Temp\456.exe
  "C:\Users\Admin\AppData\Local\Temp\456.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 464
    3⤵
    - Program crash
    PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4376 -ip 4376
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2900C6MU.bat

Filesize
6KB

MD5
17b391b83c8f962ad9c025654e11fb20

SHA1
993d5151db59705e5a2cd3faadba05b2b2e1837c

SHA256
2dac1851ae6b44e9918471f3ab58e38aa991543798af5f180de6dc3d43587329

SHA512
6d5ce90ea24926c5d05478a88368a61a723f7046ad783ffaf61164d7dfc6c75853570bad9391db31672db68394bd46ed7e23affdcf0c15810c5dc850a36e5e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\456.exe

Filesize
512KB

MD5
0c15482ba1f6c6487628d03e4c770322

SHA1
e862516ca568a36049b8cc5ee572b5f223d879e7

SHA256
fbc3c364b13ccd8184acd3d56f731d695c2329d6bd4fc650ff71c1a47d556638

SHA512
1959b37638d16d09ae53e2466b6da63abea72e7e9be4535d9db6a7cc02180876a0ea97dccaa25f84ff24670ae3bbdc508513137cc5de15b1bc60c403160154f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\456.exe

Filesize
512KB

MD5
0c15482ba1f6c6487628d03e4c770322

SHA1
e862516ca568a36049b8cc5ee572b5f223d879e7

SHA256
fbc3c364b13ccd8184acd3d56f731d695c2329d6bd4fc650ff71c1a47d556638

SHA512
1959b37638d16d09ae53e2466b6da63abea72e7e9be4535d9db6a7cc02180876a0ea97dccaa25f84ff24670ae3bbdc508513137cc5de15b1bc60c403160154f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch.exe

Filesize
634KB

MD5
d116d31546f5c09186dccb5474ce4f15

SHA1
5c0f76f310624f86a0e50ec2ffdcfe2781687ff7

SHA256
f4dde5a230a44d10f7c9dfc97ec1ed64d8c1fd76f84c803692985d2d9f43a455

SHA512
12c775d67519bf2cc079aeef76fb1a8bc26ce3eb06d6fab5347350627f1ca5d3c8bfb480d07484090008401a4c33a4c1fbca3bc877c2b8553961d746aee6719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\patch.exe

Filesize
634KB

MD5
d116d31546f5c09186dccb5474ce4f15

SHA1
5c0f76f310624f86a0e50ec2ffdcfe2781687ff7

SHA256
f4dde5a230a44d10f7c9dfc97ec1ed64d8c1fd76f84c803692985d2d9f43a455

SHA512
12c775d67519bf2cc079aeef76fb1a8bc26ce3eb06d6fab5347350627f1ca5d3c8bfb480d07484090008401a4c33a4c1fbca3bc877c2b8553961d746aee6719d

Download Submit
memory/4376-146-0x0000000000826000-0x0000000000828000-memory.dmp

Filesize
8KB

Download
memory/4376-145-0x0000000000822000-0x0000000000827000-memory.dmp

Filesize
20KB

Download
memory/4376-147-0x000000000081A000-0x000000000081C000-memory.dmp

Filesize
8KB

Download
memory/4376-148-0x0000000000825000-0x0000000000827000-memory.dmp

Filesize
8KB

Download
memory/4376-149-0x0000000000817000-0x0000000000819000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing