8e680604d3cc1d3e076282896daa7c004a7c925d199b0cf362074887f7d8d90a

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16/12/2022, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e99526ad6b74824003dac2fa8f462b0.exe
Size

287KB
MD5

1e99526ad6b74824003dac2fa8f462b0
SHA1

ae81eeeecfdcd96f0ecc325b0bdbcc7ed5398572
SHA256

8e680604d3cc1d3e076282896daa7c004a7c925d199b0cf362074887f7d8d90a
SHA512

5394cf1e3aa0965600711047124669119eeccdb0bf9715d3a747ac31dcc15336e05e5c80e931f582cf234ec8303e4963fe531e9e5fb7bd058d07e1a92ae99b7e
SSDEEP

6144:IkweALjNW/63xaRkAtLFuzL+NsCa5kUiIT6OW2WqvbJHn:3A/5xgtcyLIDmOvW4JH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1736	plimndtcul.exe
292	plimndtcul.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	plimndtcul.exe

Loads dropped DLL 4 IoCs

pid	Process
1196	1e99526ad6b74824003dac2fa8f462b0.exe
1196	1e99526ad6b74824003dac2fa8f462b0.exe
1736	plimndtcul.exe
468	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 292	1736	plimndtcul.exe	29
PID 292 set thread context of 1204	292	plimndtcul.exe	15
PID 468 set thread context of 1204	468	NAPSTAT.EXE	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
292	plimndtcul.exe
292	plimndtcul.exe
292	plimndtcul.exe
292	plimndtcul.exe
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1736	plimndtcul.exe
292	plimndtcul.exe
292	plimndtcul.exe
292	plimndtcul.exe
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE
468	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	292	plimndtcul.exe
Token: SeDebugPrivilege	468	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1736	1196	1e99526ad6b74824003dac2fa8f462b0.exe	28
PID 1196 wrote to memory of 1736	1196	1e99526ad6b74824003dac2fa8f462b0.exe	28
PID 1196 wrote to memory of 1736	1196	1e99526ad6b74824003dac2fa8f462b0.exe	28
PID 1196 wrote to memory of 1736	1196	1e99526ad6b74824003dac2fa8f462b0.exe	28
PID 1736 wrote to memory of 292	1736	plimndtcul.exe	29
PID 1736 wrote to memory of 292	1736	plimndtcul.exe	29
PID 1736 wrote to memory of 292	1736	plimndtcul.exe	29
PID 1736 wrote to memory of 292	1736	plimndtcul.exe	29
PID 1736 wrote to memory of 292	1736	plimndtcul.exe	29
PID 1204 wrote to memory of 468	1204	Explorer.EXE	30
PID 1204 wrote to memory of 468	1204	Explorer.EXE	30
PID 1204 wrote to memory of 468	1204	Explorer.EXE	30
PID 1204 wrote to memory of 468	1204	Explorer.EXE	30
PID 468 wrote to memory of 1620	468	NAPSTAT.EXE	33
PID 468 wrote to memory of 1620	468	NAPSTAT.EXE	33
PID 468 wrote to memory of 1620	468	NAPSTAT.EXE	33
PID 468 wrote to memory of 1620	468	NAPSTAT.EXE	33
PID 468 wrote to memory of 1620	468	NAPSTAT.EXE	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\1e99526ad6b74824003dac2fa8f462b0.exe
  "C:\Users\Admin\AppData\Local\Temp\1e99526ad6b74824003dac2fa8f462b0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe
    "C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe" C:\Users\Admin\AppData\Local\Temp\kjhlb.fm
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe
      "C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:292
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kjhlb.fm

Filesize
5KB

MD5
f8c9933e5dddaf3809847537457675f6

SHA1
a8420e37930149c7a478a6144868a74a91b058fd

SHA256
bacd0df37eda1ff0dffd2b0b26de3d4a8b8324f159d6f0b81bb9f8c16a1d4ab2

SHA512
21e6b829a1a37c17a09ed6e0eacca075d69938fcec2973a66aefa2db295ac4c9526c2b24b6bf6398265432dfdaa51aa36f269a32c1641c3227b69c6e948fc8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzscevpwrm.y

Filesize
185KB

MD5
33503487e0ace7d8e7106711edd1ad02

SHA1
51e96d5721ddc0c879896e61dfd08028ae016fe7

SHA256
955d77c5357f219f97e73bc5e71f76fed240cc4ab21de5da5531d86935fa3023

SHA512
7cb27117e0d92a21eaba90d2cf887d8cfa8ea3a38fec01f5ecf3f4c1b01e60c2577d71e38dc27e96538b37473e64b7a9d17ead12c8fed094a65b8ecd66f75b2e

Download Submit
\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
\Users\Admin\AppData\Local\Temp\plimndtcul.exe

Filesize
128KB

MD5
238d79009b5d5e6c056230f1ab232cae

SHA1
44076031ec04cddc795cac0cce4251e3b99e410b

SHA256
6688d9812cd9abbcd72e2fb89a9ca8bff54cee2d7aa59ace8917a1a67a1798f6

SHA512
ec32519aa960ec5935b47211ef69a8101d878710c8149ae15b5c002b1905beaab7e67317ffec478f0461b1ca76ed655e926b193e24aae7ea7ea3e81b91ad611a

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
memory/292-67-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/292-68-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/292-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-71-0x0000000000DC0000-0x0000000000E06000-memory.dmp

Filesize
280KB

Download
memory/468-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/468-73-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/468-74-0x0000000000950000-0x00000000009DF000-memory.dmp

Filesize
572KB

Download
memory/1196-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1204-69-0x0000000005EA0000-0x0000000005F91000-memory.dmp

Filesize
964KB

Download
memory/1204-75-0x00000000061A0000-0x000000000629F000-memory.dmp

Filesize
1020KB

Download
memory/1204-77-0x00000000061A0000-0x000000000629F000-memory.dmp

Filesize
1020KB

Download
memory/1204-79-0x000007FEF63F0000-0x000007FEF6533000-memory.dmp

Filesize
1.3MB

Download
memory/1204-80-0x000007FF6DE50000-0x000007FF6DE5A000-memory.dmp

Filesize
40KB

Download