9a74e61772d82136143a0c3f03c3e6c0bc5d4328f5e9d59e76f90b3c483b917c

General

Target

0917b610ad00f0d041af00f67564ad98.exe
Size

828KB
MD5

0917b610ad00f0d041af00f67564ad98
SHA1

994bed1b28cf98775f56bb8e34549cc6017137d7
SHA256

9a74e61772d82136143a0c3f03c3e6c0bc5d4328f5e9d59e76f90b3c483b917c
SHA512

7ebf5e89f646c2b7d935cde1a8a2b90fb8da2ccc617666a9db73b5ffb0905b1283f6a2fc7a029f8cc909de2807d5f1813969fcaa9bde8a21a2af13061396c0eb
SSDEEP

24576:rcvkTI+cRV+i8epaqKjO12mJs4qzMtNmDUbkpY:gvkTOKiRajk2mJs4354O

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	0917b610ad00f0d041af00f67564ad98.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	git.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	git.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2100	WerFault.exe	88

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3936	1272	0917b610ad00f0d041af00f67564ad98.exe	85
PID 1272 wrote to memory of 3936	1272	0917b610ad00f0d041af00f67564ad98.exe	85
PID 3936 wrote to memory of 2100	3936	cmd.exe	88
PID 3936 wrote to memory of 2100	3936	cmd.exe	88
PID 3936 wrote to memory of 2100	3936	cmd.exe	88
PID 3936 wrote to memory of 3868	3936	cmd.exe	93
PID 3936 wrote to memory of 3868	3936	cmd.exe	93
PID 3936 wrote to memory of 4560	3936	cmd.exe	94
PID 3936 wrote to memory of 4560	3936	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\0917b610ad00f0d041af00f67564ad98.exe
"C:\Users\Admin\AppData\Local\Temp\0917b610ad00f0d041af00f67564ad98.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8467.tmp\8468.tmp\8469.bat C:\Users\Admin\AppData\Local\Temp\0917b610ad00f0d041af00f67564ad98.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\git\git.exe
    git.exe C:\Users\Admin\AppData\Roaming/WINT\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1144
      4⤵
      Program crash
      PID:2636
- - C:\Windows\system32\reg.exe
    reg.exe ADD HKEY_CURRENT_USER\SOFTWARE\Wint /v inst /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\0917b610ad00f0d041af00f67564ad98.exe /f
    3⤵
    PID:3868
- - C:\Windows\system32\reg.exe
    reg.exe ADD HKEY_CURRENT_USER\SOFTWARE\Wint /v dcbt /t REG_SZ /d Y1//+eOUOISBxntPlF5DRNfjW2d0d4U88tJtv9OAnW/D5FfgBkhywW519L/vPHkxBszuJk7mznvHrcrqVoc/JzNRWVjPCJ2YwUF+EPAgre4= /f
    3⤵
    PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2100 -ip 2100
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8467.tmp\8468.tmp\8469.bat

Filesize
428B

MD5
c0a60ec7ad73ede5f275e4705da0eb1a

SHA1
ef7067e0db21c87cea10b83d0fc23305ebea8131

SHA256
beccaa8011e883c9e65606b657445cc261e9b13d7e8552737f56f56857eccf87

SHA512
85ed54543d3797da4a41423b0bd461b81f133a0bc662600c07adef921d77bdf95da5910d131510d6bd420af0e5c705361afd57f2991868d9eec65d4e2352ff81

Download Submit
C:\Users\Admin\AppData\Local\Temp\git\git.exe

Filesize
268KB

MD5
f47adb7404aa61efe87cd1fd3a003161

SHA1
56a605b594a5e480afd3fa06f57b5e31e612ad17

SHA256
ea3282590067b5b803e5658a54234fb8597471a675e7d86a2fd0d099774f81a0

SHA512
9af1827103b334b82c11a6f50c34cf84bc29955572499b6ffe7ff7ea1cd99c4f0aa55ac742d91040d1eac06c06fd4c8f941cce35bb6d5ecaacb9670c8d0df83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\git\git.exe

Filesize
268KB

MD5
f47adb7404aa61efe87cd1fd3a003161

SHA1
56a605b594a5e480afd3fa06f57b5e31e612ad17

SHA256
ea3282590067b5b803e5658a54234fb8597471a675e7d86a2fd0d099774f81a0

SHA512
9af1827103b334b82c11a6f50c34cf84bc29955572499b6ffe7ff7ea1cd99c4f0aa55ac742d91040d1eac06c06fd4c8f941cce35bb6d5ecaacb9670c8d0df83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\git\lib\win32\x86\git2-106a5f2.dll

Filesize
918KB

MD5
1e96035a0fdd3783414000b12a0c4515

SHA1
368bda48b76c08f26a3d7c3521b3a9e8ebb17ed2

SHA256
1237de47ec7149ebc8f7e9edc4589a8940a29f39d23f1337b9ed87a96677d6ab

SHA512
884040892e89b2d874ffa436fefd6d6a4f998ca4f3044720b638703319b97533329e25fe222d5eb2e757ec12fd574d9d7b5018d54678c403f5fb46bf47283c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\git\lib\win32\x86\git2-106a5f2.dll

Filesize
918KB

MD5
1e96035a0fdd3783414000b12a0c4515

SHA1
368bda48b76c08f26a3d7c3521b3a9e8ebb17ed2

SHA256
1237de47ec7149ebc8f7e9edc4589a8940a29f39d23f1337b9ed87a96677d6ab

SHA512
884040892e89b2d874ffa436fefd6d6a4f998ca4f3044720b638703319b97533329e25fe222d5eb2e757ec12fd574d9d7b5018d54678c403f5fb46bf47283c30

Download Submit
C:\Users\Admin\AppData\Roaming\WINT\.git\config

Filesize
21B

MD5
0b9ea4a26e9d021ad26251cca01e2b1f

SHA1
f3df3e4af2d3d6bb2cd6410f4e375e8617d37feb

SHA256
bc6c44e1ecf71142efc0eb0bf69268dfbeb9e018b34b00b510d50f9bf57bff90

SHA512
41cc63ca47deec80784a71688f98de3a71b0af4bb059ade7904ebadf59357e78ac6ba611a26c4ab9ec719ff9dbb1d0472feb711ebc361f922fb7375db64783dd

Download Submit
C:\Users\Admin\AppData\Roaming\WINT\.git\config.lock

Filesize
50B

MD5
d98b908d5894be36ae472bb8119a1f1c

SHA1
629fbc2934695078ec18466173383ff604759275

SHA256
c0bc14f31424882483b92be3180cfd0570caae1c37c098cd5ddaf3ccc3544039

SHA512
f66fc7a49ea3e8ca6dced8a3b78ab00bfaf6668b57a553ea47f5905ee2daa879957086722a67590660f3f72c7d1be1c86faa54bc8a53042b18d88fee15485752

Download Submit
memory/2100-142-0x00000000004E0000-0x000000000052A000-memory.dmp

Filesize
296KB

Download
memory/2100-143-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/2100-144-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/2100-145-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2100-146-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing