5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd

General

Target

d7eh4zQ01VMimnB34BJB.exe
Size

4.8MB
MD5

07b79a91bad1618cdf1828997ee09df3
SHA1

d3ac31c9540edbbbbb9b815287808f47bbbd0692
SHA256

5a108eb10751551eaf2fdafee5c9f05033d6d83c524dd20060a464d158cf1bfd
SHA512

d8ba6f8d1f2b6baadcf7eda5c0cf59db418ae8371ec37cb11266ef9d59b0bda152775b4f416ace72de7ab2c94bf311378efbda0ae30aa2f6caf58775a057e953
SSDEEP

98304:qr5z4M9qNOtHF33FJ6pO/FUSrAcD53U08RRI:eyM6OtH5FM42SsX0C

Score

8^/10

themida

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d7eh4zQ01VMimnB34BJB.exe

Loads dropped DLL 1 IoCs

pid	Process
3600	osk.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000500000001e87b-145.dat	themida
behavioral2/files/0x000500000001e87b-146.dat	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1260	d7eh4zQ01VMimnB34BJB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2368	taskkill.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1260	d7eh4zQ01VMimnB34BJB.exe
1260	d7eh4zQ01VMimnB34BJB.exe
1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe
1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe
1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe
1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1260	d7eh4zQ01VMimnB34BJB.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	taskkill.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe
3600	osk.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1812	1260	d7eh4zQ01VMimnB34BJB.exe	85
PID 1260 wrote to memory of 1812	1260	d7eh4zQ01VMimnB34BJB.exe	85
PID 1812 wrote to memory of 3808	1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe	91
PID 1812 wrote to memory of 3808	1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe	91
PID 3808 wrote to memory of 2368	3808	cmd.exe	92
PID 3808 wrote to memory of 2368	3808	cmd.exe	92
PID 1812 wrote to memory of 4304	1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe	95
PID 1812 wrote to memory of 4304	1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe	95
PID 4304 wrote to memory of 3600	4304	cmd.exe	96
PID 4304 wrote to memory of 3600	4304	cmd.exe	96
PID 1812 wrote to memory of 3600	1812	5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe	96

C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe
"C:\Users\Admin\AppData\Local\Temp\d7eh4zQ01VMimnB34BJB.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe
  "C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /F /IM osk.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM osk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c START osk.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\system32\osk.exe
      osk.exe
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Nzu0W0vQyufJrNWSbfM67R1iVMJCK1Hp1I.exe

Filesize
18.8MB

MD5
e0afdd2b322bb0dfcc5f8b07ee5a9cc6

SHA1
89cc9cbd3adca25ddbf7b8565390c7442ca652e1

SHA256
e5840db0ffd87083a541acea7bce39bb51171f512b5be5de16a4d9467ba1ec1e

SHA512
daad0491a998a68cbc799f65c0f8e2d32a8b3b3184a4357a374ccb4dede5df631916fdea870973b84262b364995980041c7bb52cb566d17738f371932fccd8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQFl4M1RWRay.dll

Filesize
14.0MB

MD5
ad15f206c2545310e2a0d4b1627caa33

SHA1
8f1c225927f2d3c54d4a8269e917fc16b894cec8

SHA256
dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

SHA512
5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQFl4M1RWRay.dll

Filesize
14.0MB

MD5
ad15f206c2545310e2a0d4b1627caa33

SHA1
8f1c225927f2d3c54d4a8269e917fc16b894cec8

SHA256
dc65e929f284fa51ba7adc8385435045ab3be4808f684cd2d6a1e499dab4b567

SHA512
5848c1f6f6d95cd3f0edb9e6959898500210c6138d8e2e6f0c9a2b470bb60526df4d383a67299ff2c179dab7cb8744e0b3aa9b6c73b748f6d6761b953a890aad

Download Submit
memory/1260-133-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1260-136-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1260-132-0x0000000140000000-0x0000000140800000-memory.dmp

Filesize
8.0MB

Download
memory/1812-138-0x00007FF713040000-0x00007FF71547A000-memory.dmp

Filesize
36.2MB

Download
memory/1812-140-0x00007FF713040000-0x00007FF71547A000-memory.dmp

Filesize
36.2MB

Download
memory/1812-147-0x00007FF713040000-0x00007FF71547A000-memory.dmp

Filesize
36.2MB

Download

Analysis

Sharing