6ae296e1d6faefa0851a7f40736d4404409eb1fa3e2b884664a1cc6f1107bb47

General

Target

xx.exe
Size

3.3MB
MD5

50298c571eeb5d3c9dbb5945f5692d2d
SHA1

82817defaabee93a9d15c78e763137c4c2d1dcb4
SHA256

6ae296e1d6faefa0851a7f40736d4404409eb1fa3e2b884664a1cc6f1107bb47
SHA512

8a953c3c14c30532cfad0f5c83cd3f267d0625dc333d3510647e3ab82c0ad7c27fe1548ea75975be8f28e64a1c3104c7729858a31fbed9c24957a15d56a44f3b
SSDEEP

49152:53wqqmcOSW0FONVReXFYYjSpHl9r9zzoMr6YNDsxmDb7S1xR+VXHxasznBKWKv:53wqZDjcL8rf6YNoxmDbm1xR

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

_config.exexx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	_config.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	xx.exe

Executes dropped EXE 3 IoCs

Processes:

music.exe_config.exe_config.exe

pid process

1372 music.exe
1660 _config.exe
2136 _config.exe
Loads dropped DLL 1 IoCs

Processes:

xx.exe

pid process

1264 xx.exe

pid	process
1264	xx.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

music.exe

description	ioc	process
File opened (read-only)	\??\G:	music.exe
File opened (read-only)	\??\K:	music.exe
File opened (read-only)	\??\W:	music.exe
File opened (read-only)	\??\X:	music.exe
File opened (read-only)	\??\Y:	music.exe
File opened (read-only)	\??\B:	music.exe
File opened (read-only)	\??\E:	music.exe
File opened (read-only)	\??\Q:	music.exe
File opened (read-only)	\??\S:	music.exe
File opened (read-only)	\??\V:	music.exe
File opened (read-only)	\??\F:	music.exe
File opened (read-only)	\??\H:	music.exe
File opened (read-only)	\??\L:	music.exe
File opened (read-only)	\??\M:	music.exe
File opened (read-only)	\??\O:	music.exe
File opened (read-only)	\??\R:	music.exe
File opened (read-only)	\??\Z:	music.exe
File opened (read-only)	\??\I:	music.exe
File opened (read-only)	\??\J:	music.exe
File opened (read-only)	\??\N:	music.exe
File opened (read-only)	\??\P:	music.exe
File opened (read-only)	\??\T:	music.exe
File opened (read-only)	\??\U:	music.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

music.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	music.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	music.exe

Modifies registry class 1 IoCs

Processes:

helppane.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ helppane.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	helppane.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

music.exe

pid	process
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe
1372	music.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

music.exe

pid process

1372 music.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

music.exe

description pid process

Token: 33 1372 music.exe
Token: SeIncBasePriorityPrivilege 1372 music.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid process

948 helppane.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

music.exehelppane.exe

pid process

1372 music.exe
948 helppane.exe
948 helppane.exe

description	pid	process
Token: 33	1372	music.exe
Token: SeIncBasePriorityPrivilege	1372	music.exe

pid	process
948	helppane.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

xx.exehelppane.exe_config.exe

description	pid	process	target process
PID 1264 wrote to memory of 1372	1264	xx.exe	music.exe
PID 1264 wrote to memory of 1372	1264	xx.exe	music.exe
PID 1264 wrote to memory of 1372	1264	xx.exe	music.exe
PID 1264 wrote to memory of 1660	1264	xx.exe	_config.exe
PID 1264 wrote to memory of 1660	1264	xx.exe	_config.exe
PID 1264 wrote to memory of 1660	1264	xx.exe	_config.exe
PID 948 wrote to memory of 2136	948	helppane.exe	_config.exe
PID 948 wrote to memory of 2136	948	helppane.exe	_config.exe
PID 948 wrote to memory of 2136	948	helppane.exe	_config.exe
PID 2136 wrote to memory of 1568	2136	_config.exe	reg.exe
PID 2136 wrote to memory of 1568	2136	_config.exe	reg.exe
PID 2136 wrote to memory of 1568	2136	_config.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\xx.exe
"C:\Users\Admin\AppData\Local\Temp\xx.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Roaming\s05ACEGKOR\music.exe
"C:\Users\Admin\AppData\Roaming\s05ACEGKOR\music.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Users\Admin\AppData\Local\Temp\_config.exe
"C:\Users\Admin\AppData\Local\Temp\_config.exe"
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\_config.exe
"C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\s05ACEGKOR" /f
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\s05ACEGKOR" /f
3⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.exe
Filesize
82KB

MD5
cbbdef6c4d82eb4ff01ed43f1e641907

SHA1
722ba8786507f2cad599b11cdc4a139909f4f9f1

SHA256
37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

SHA512
6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_config.lnk
Filesize
2KB

MD5
0fe851298edd436c3337e12612cea15e

SHA1
127dd6c63f7ae44dbd7568fb04125dc7bfb8fb1d

SHA256
434c3dd31be4a93fce20c27b54f986dc12ae8a1dbcd38e73f2b5d50118778018

SHA512
364833b919ed1872c50f54797a12e8924202aef186ab3ddb4b8338ace239f9ff5023c12f8bc815b8e785d3304cc6cd73734b302bdbe2cb34c8b12e77d24c34e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb6E60.tmp
Filesize
1KB

MD5
1d3c48e9a0f85af37324e5a2e7d4c571

SHA1
fa43f97ae2e0f814702c07041776d9025c7eb035

SHA256
36e69f1b110721d998a9e3819292b04599add78b863b84c69d05ddf2d2c9a401

SHA512
fc983f0aea54ac0f6be985d485ac16a5336d66fa0996d04779206541872f7833de4a048801009e86f2e214e3f0870c89afa0672fb5864267fa8a86ed24fc91cb

Download Submit
C:\Users\Admin\AppData\Roaming\s05ACEGKOR\music.exe
Filesize
108KB

MD5
a6a9abf50eb980d12622e14c237a9f37

SHA1
8ef76ad1aaac59cc082a94dd1fa65338c7d59111

SHA256
1ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a

SHA512
952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252

Download Submit
C:\Users\Admin\AppData\Roaming\s05ACEGKOR\music.exe
Filesize
108KB

MD5
a6a9abf50eb980d12622e14c237a9f37

SHA1
8ef76ad1aaac59cc082a94dd1fa65338c7d59111

SHA256
1ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a

SHA512
952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252

Download Submit
C:\Users\Admin\AppData\Roaming\s05ACEGKOR\music.exe
Filesize
108KB

MD5
a6a9abf50eb980d12622e14c237a9f37

SHA1
8ef76ad1aaac59cc082a94dd1fa65338c7d59111

SHA256
1ef14f23c1c3fad652b81376340e8882a942b27052f85e96040067fc0ac4cd5a

SHA512
952a4e01f4d6018289db4ead6b52d50f9dfa2939ebe37294c2c07c4af18c20d9beb3f65b41a04cfc92f26b61794b53bd8884a78cbe4be6cf4904a9b608fd1252

Download Submit
memory/1264-174-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1264-136-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1264-144-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1264-143-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-138-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-142-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-171-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-141-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-166-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-167-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1264-140-0x0000000000400000-0x0000000000FB8000-memory.dmp

Filesize
11.7MB

Download
memory/1264-139-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1372-158-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-183-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-153-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-177-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-178-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-179-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-180-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-181-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-182-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-159-0x0000000000EB0000-0x0000000000EB4000-memory.dmp

Filesize
16KB

Download
memory/1372-184-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-185-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-186-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-187-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-188-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-189-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download
memory/1372-190-0x0000000000C50000-0x0000000000C9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads