0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05

General

Target

0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
Size

171KB
MD5

0d1a5afe8ff4299a6e4e5c9eaca3a8d0
SHA1

4c9cb8cedfc423ce7ed544a0214373411d543757
SHA256

0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05
SHA512

f790c01978caef194eb40d0fdc419ec8f8c7ae3c508c7ee1461f86a66be42def0f610a7a21f4b1b17e37dd790e645605f1a41b6bd8b0f042fa1b9a761a000356
SSDEEP

3072:Bswv8vAW/6zD2EoCKGDYftbs4OTLGvc822:B7k/6Fs1buKv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Executes dropped EXE 3 IoCs

pid	Process
404	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
1440	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
3568	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3884	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
Token: SeDebugPrivilege	404	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
Token: SeDebugPrivilege	1440	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
Token: SeDebugPrivilege	3568	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3884	4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe	85
PID 4804 wrote to memory of 3884	4804	0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
"C:\Users\Admin\AppData\Local\Temp\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05" /tr "C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3884

C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe.log

Filesize
1KB

MD5
764d77a1fe83fb63d329d05881b91079

SHA1
1c56e9039ffba5c2975afffb6d13295e8819839d

SHA256
fefe4090fc5e9f2f10f7abc5e23cfe9f26d8c69a27f48e7c4ff5017eac66a9bb

SHA512
702621e4baa23cc209f87d54ead3f767b8ef4d8c3745e070fe356d72fde2dd1de520d703f6d029e074ea53751bd347a496a5a5580f691514a1c11e0c71d723c8

Download Submit
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Filesize
171KB

MD5
0d1a5afe8ff4299a6e4e5c9eaca3a8d0

SHA1
4c9cb8cedfc423ce7ed544a0214373411d543757

SHA256
0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05

SHA512
f790c01978caef194eb40d0fdc419ec8f8c7ae3c508c7ee1461f86a66be42def0f610a7a21f4b1b17e37dd790e645605f1a41b6bd8b0f042fa1b9a761a000356

Download Submit
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Filesize
171KB

MD5
0d1a5afe8ff4299a6e4e5c9eaca3a8d0

SHA1
4c9cb8cedfc423ce7ed544a0214373411d543757

SHA256
0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05

SHA512
f790c01978caef194eb40d0fdc419ec8f8c7ae3c508c7ee1461f86a66be42def0f610a7a21f4b1b17e37dd790e645605f1a41b6bd8b0f042fa1b9a761a000356

Download Submit
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Filesize
171KB

MD5
0d1a5afe8ff4299a6e4e5c9eaca3a8d0

SHA1
4c9cb8cedfc423ce7ed544a0214373411d543757

SHA256
0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05

SHA512
f790c01978caef194eb40d0fdc419ec8f8c7ae3c508c7ee1461f86a66be42def0f610a7a21f4b1b17e37dd790e645605f1a41b6bd8b0f042fa1b9a761a000356

Download Submit
C:\Users\Admin\AppData\Roaming\0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05.exe

Filesize
171KB

MD5
0d1a5afe8ff4299a6e4e5c9eaca3a8d0

SHA1
4c9cb8cedfc423ce7ed544a0214373411d543757

SHA256
0aaa331ee252f7fe6824fd7ec5de659bffc2b1447a026012371ff8f6f0b71e05

SHA512
f790c01978caef194eb40d0fdc419ec8f8c7ae3c508c7ee1461f86a66be42def0f610a7a21f4b1b17e37dd790e645605f1a41b6bd8b0f042fa1b9a761a000356

Download Submit
memory/404-142-0x000000001BC30000-0x000000001BC40000-memory.dmp

Filesize
64KB

Download
memory/404-144-0x000000001ACA0000-0x000000001ADEE000-memory.dmp

Filesize
1.3MB

Download
memory/1440-152-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/1440-154-0x000000001B980000-0x000000001BACE000-memory.dmp

Filesize
1.3MB

Download
memory/3568-161-0x000000001C170000-0x000000001C180000-memory.dmp

Filesize
64KB

Download
memory/4804-138-0x000000001AF10000-0x000000001B05E000-memory.dmp

Filesize
1.3MB

Download
memory/4804-137-0x000000001C520000-0x000000001C530000-memory.dmp

Filesize
64KB

Download
memory/4804-136-0x000000001AF10000-0x000000001B05E000-memory.dmp

Filesize
1.3MB

Download
memory/4804-133-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/4804-135-0x000000001C520000-0x000000001C530000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads