f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f

General

Target

f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe
Size

8.1MB
MD5

a4a3f737c98111f18637a3f9fa327b92
SHA1

88fcf3a2b2e942c029ee2b2aff6d966a9179a036
SHA256

f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f
SHA512

239421632591dd094edfed6d4b147266807561fb07f2d3411b620b59d52d9f1c457b4695fa6e70073b84b0df8fb1853bb6c4e8ca39a4c679fa3a72cacda23562
SSDEEP

196608:LgIZGpxtdwC4PhSqmHUJndI7NH1TjupsTLSJVXo:LgjwUBH/NH1TjupsfB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	Resize.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Resize.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	Resize.exe
1948	Resize.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Resize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Resize.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Resize.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Resize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Resize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Resize.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\1024x768\ = "1024x768"	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\640x480	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\1024x768	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\640x480\command\DelegateExecute = "{B85C6569-5465-46F3-BF3E-B725632EB8BE}"	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\800x600\ = "800x600"	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\800x600\command	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\Email (1024x768)\command	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\640x480\ = "640x480"	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\Email (1024x768)	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\Email (1024x768)\ = "Email (1024x768)"	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\Email (1024x768)\command\DelegateExecute = "{B85C6569-5465-46F3-BF3E-B725632EB8BE}"	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\1024x768\command	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\1024x768\command\DelegateExecute = "{B85C6569-5465-46F3-BF3E-B725632EB8BE}"	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\640x480\command	Resize.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\800x600	Resize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\LightImageResizerSubCommands\shell\800x600\command\DelegateExecute = "{B85C6569-5465-46F3-BF3E-B725632EB8BE}"	Resize.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1948	Resize.exe
1948	Resize.exe
1948	Resize.exe
1948	Resize.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Resize.exe
Token: SeShutdownPrivilege	1948	Resize.exe
Token: SeCreatePagefilePrivilege	1948	Resize.exe
Token: SeShutdownPrivilege	1948	Resize.exe
Token: SeCreatePagefilePrivilege	1948	Resize.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	Resize.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 756	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	79
PID 4844 wrote to memory of 756	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	79
PID 4844 wrote to memory of 4464	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	81
PID 4844 wrote to memory of 4464	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	81
PID 4844 wrote to memory of 4376	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	83
PID 4844 wrote to memory of 4376	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	83
PID 4844 wrote to memory of 1588	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	85
PID 4844 wrote to memory of 1588	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	85
PID 4844 wrote to memory of 1948	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	89
PID 4844 wrote to memory of 1948	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	89
PID 4844 wrote to memory of 1948	4844	f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe	89

C:\Users\Admin\AppData\Local\Temp\f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe
"C:\Users\Admin\AppData\Local\Temp\f4e793b8127db2781f80c0767cb1fd061239ad885977f3821a0a753ebe2dc83f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\ObviousIdea\ImageResizer\6.0" /f /v "FirstRun" /t REG_DWORD /d "0"
  2⤵
  PID:756
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\ObviousIdea\ImageResizer\6.0" /f /v "CollectUsageInfo" /t REG_DWORD /d "0"
  2⤵
  PID:4464
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\ObviousIdea\ImageResizer\6.0" /f /v "CheckForUpdates" /t REG_DWORD /d "0"
  2⤵
  PID:4376
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\ObviousIdea\ImageResizer\6.0" /f /v "SaveWindowSize" /t REG_DWORD /d "1"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\Resize.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\Resize.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\Lang\RSZ_People's Republic of China.ini

Filesize
322KB

MD5
07fd442dc3ef3a85dc4b1b244a72878e

SHA1
ec5416775cf3bb3f1bc06a88f3c59b867b73b404

SHA256
ab3beadb0f8e6299c529214812b4dd85e4bc2f38ce4059f2a1888ac1ac3ac9ad

SHA512
dad49167d5656c3456548a794ffe4fa305aa9b162b52d6dbe37ef2d5f120cd5ab2eee0fd50dfe898524e1bbd2b1dc4b0e42b8818d50013e07b891efa73e95001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\Resize.exe

Filesize
19.7MB

MD5
12e3d17ad0a4943396588f23d08caca0

SHA1
c10d14f90b0d1092d100d0ee2bdc100807dc8037

SHA256
893613fb431eac6f82dc1d56b31db5a7dee0b86084b943afadd0b6d189ef6ec6

SHA512
4f8b62c7831017e35d83088d79fc339d49439c4f66c1bc834863309a20c3ea8917bc9ee843610f57a04119013bfef57c9d5ee4bc11ff7c99efa9bf1b079fd2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\Resize.exe

Filesize
19.7MB

MD5
12e3d17ad0a4943396588f23d08caca0

SHA1
c10d14f90b0d1092d100d0ee2bdc100807dc8037

SHA256
893613fb431eac6f82dc1d56b31db5a7dee0b86084b943afadd0b6d189ef6ec6

SHA512
4f8b62c7831017e35d83088d79fc339d49439c4f66c1bc834863309a20c3ea8917bc9ee843610f57a04119013bfef57c9d5ee4bc11ff7c99efa9bf1b079fd2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\ielib32.dll

Filesize
2.5MB

MD5
c24c1adbb85f2097d1cd2b4c0b778e28

SHA1
bbac5f056878882032ab4597fab81cba072d0d73

SHA256
d18b293b7762706b15459f26d2908061637c26d048abfcbb9faa675005eca3e9

SHA512
eb26f8003162df0ec9081a569255f5b2d1d1473ebb02b3a734d8cf1b9fad993ae33af64b8d7848859a9f0778b6ad082bb9142b6e2d3223cd053aa93926b4b558

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\ielib32.dll

Filesize
2.5MB

MD5
c24c1adbb85f2097d1cd2b4c0b778e28

SHA1
bbac5f056878882032ab4597fab81cba072d0d73

SHA256
d18b293b7762706b15459f26d2908061637c26d048abfcbb9faa675005eca3e9

SHA512
eb26f8003162df0ec9081a569255f5b2d1d1473ebb02b3a734d8cf1b9fad993ae33af64b8d7848859a9f0778b6ad082bb9142b6e2d3223cd053aa93926b4b558

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\libwebp.dll

Filesize
270KB

MD5
7e77c4906572d4953904a658a903c5ff

SHA1
f93df53afad80dd708bc56f86bc4a879462e9626

SHA256
e862283d9714bc4247cf28d08af245f19dbedd9ae99a0f6cb422b92fbbd7b58b

SHA512
47e6947e9293cac36e175ce2d636ab3527f5d16c5b16cde54191007507b77d204754083a6cd51a88aa45df7ad8b342e6baae5ccfda3f8f8670b501c97fb16e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\libwebp.dll

Filesize
270KB

MD5
7e77c4906572d4953904a658a903c5ff

SHA1
f93df53afad80dd708bc56f86bc4a879462e9626

SHA256
e862283d9714bc4247cf28d08af245f19dbedd9ae99a0f6cb422b92fbbd7b58b

SHA512
47e6947e9293cac36e175ce2d636ab3527f5d16c5b16cde54191007507b77d204754083a6cd51a88aa45df7ad8b342e6baae5ccfda3f8f8670b501c97fb16e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Resize\profiles.ini

Filesize
3KB

MD5
d55fb1f946d46db81661101d3326f1be

SHA1
dd372608c1371c792dec211c080ebb4b500cc264

SHA256
1335c5d9f99acecb01739612baf9137e8bcf3f29f1302285889245f3fe6224d1

SHA512
ea65fa5c296d2a25b45453343020bdd6c2af3608359d7980b91a5c3184fbd95f61151759c31c532b2baec3773bed937fe3ce87e8e64aaa90f973718b5e1c749c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads