bbf38b1880ee037302435376852431fa870f18b0fec8662a9d7739d1087381db

General

Target

df37a01547bcba1097616ca2da4fd2a5.exe
Size

1.0MB
MD5

df37a01547bcba1097616ca2da4fd2a5
SHA1

faf0fcfd48cd639c2d3bba52b0693fd3e6011bea
SHA256

a7e1b48391e14f6d4531435b17ff22f4b4d2f522ee1c95edba21bb331acb5194
SHA512

f649436c7a7b162f3d7744ff3309b2c6f13f65ce38d2286c9299458ae3e76337ad493e79d6e58d04dcc6da4ef7dc66c381443f7fa50231d3de64cb87fca9d44b
SSDEEP

24576:/5Ctn/z/eJUqr2RX5ICkmnhWmwHH3QJOLQs+U6k7x:1xx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

df37a01547bcba1097616ca2da4fd2a5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	df37a01547bcba1097616ca2da4fd2a5.exe

Executes dropped EXE 1 IoCs

Processes:

123123.exe

pid process

3560 123123.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

64 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4892 timeout.exe

pid	process
3560	123123.exe

pid	process
64	schtasks.exe

pid	process
4892	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

df37a01547bcba1097616ca2da4fd2a5.exe

pid	process
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe
2348	df37a01547bcba1097616ca2da4fd2a5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df37a01547bcba1097616ca2da4fd2a5.exe123123.exe

description pid process

Token: SeDebugPrivilege 2348 df37a01547bcba1097616ca2da4fd2a5.exe
Token: SeDebugPrivilege 3560 123123.exe

description	pid	process
Token: SeDebugPrivilege	2348	df37a01547bcba1097616ca2da4fd2a5.exe
Token: SeDebugPrivilege	3560	123123.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

df37a01547bcba1097616ca2da4fd2a5.execmd.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 1072	2348	df37a01547bcba1097616ca2da4fd2a5.exe	cmd.exe
PID 2348 wrote to memory of 1072	2348	df37a01547bcba1097616ca2da4fd2a5.exe	cmd.exe
PID 2348 wrote to memory of 3584	2348	df37a01547bcba1097616ca2da4fd2a5.exe	cmd.exe
PID 2348 wrote to memory of 3584	2348	df37a01547bcba1097616ca2da4fd2a5.exe	cmd.exe
PID 3584 wrote to memory of 4892	3584	cmd.exe	timeout.exe
PID 3584 wrote to memory of 4892	3584	cmd.exe	timeout.exe
PID 1072 wrote to memory of 64	1072	cmd.exe	schtasks.exe
PID 1072 wrote to memory of 64	1072	cmd.exe	schtasks.exe
PID 3584 wrote to memory of 3560	3584	cmd.exe	123123.exe
PID 3584 wrote to memory of 3560	3584	cmd.exe	123123.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\df37a01547bcba1097616ca2da4fd2a5.exe
"C:\Users\Admin\AppData\Local\Temp\df37a01547bcba1097616ca2da4fd2a5.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "123123" /tr '"C:\Users\Admin\AppData\Roaming\123123.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "123123" /tr '"C:\Users\Admin\AppData\Roaming\123123.exe"'
3⤵
- Creates scheduled task(s)
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1C.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4892

C:\Users\Admin\AppData\Roaming\123123.exe
"C:\Users\Admin\AppData\Roaming\123123.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB1C.tmp.bat
Filesize
149B

MD5
9a14dbbd5f8271d929536120a15d06f5

SHA1
ebac07092ddab29d75f4f21ddb7b5377ec457516

SHA256
e36b1e9e4ca598b467f6858745a105857590a2a19c51e5eca488c789b463ed81

SHA512
03689fdf7654cecfec96243eb5e2d632b879020a130e4dfcc38ec510302007ef0f041f731898818762eb8bfe8b951188680b7aad935418a126f660be33e0fc4f

Download Submit
C:\Users\Admin\AppData\Roaming\123123.exe
Filesize
1.0MB

MD5
df37a01547bcba1097616ca2da4fd2a5

SHA1
faf0fcfd48cd639c2d3bba52b0693fd3e6011bea

SHA256
a7e1b48391e14f6d4531435b17ff22f4b4d2f522ee1c95edba21bb331acb5194

SHA512
f649436c7a7b162f3d7744ff3309b2c6f13f65ce38d2286c9299458ae3e76337ad493e79d6e58d04dcc6da4ef7dc66c381443f7fa50231d3de64cb87fca9d44b

Download Submit
C:\Users\Admin\AppData\Roaming\123123.exe
Filesize
1.0MB

MD5
df37a01547bcba1097616ca2da4fd2a5

SHA1
faf0fcfd48cd639c2d3bba52b0693fd3e6011bea

SHA256
a7e1b48391e14f6d4531435b17ff22f4b4d2f522ee1c95edba21bb331acb5194

SHA512
f649436c7a7b162f3d7744ff3309b2c6f13f65ce38d2286c9299458ae3e76337ad493e79d6e58d04dcc6da4ef7dc66c381443f7fa50231d3de64cb87fca9d44b

Download Submit
memory/2348-136-0x000002996EA20000-0x000002996EA30000-memory.dmp

Filesize
64KB

Download
memory/2348-133-0x000002996D160000-0x000002996D17C000-memory.dmp

Filesize
112KB

Download
memory/2348-134-0x000002996EA20000-0x000002996EA30000-memory.dmp

Filesize
64KB

Download
memory/2348-135-0x000002996EA20000-0x000002996EA30000-memory.dmp

Filesize
64KB

Download
memory/3560-145-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download
memory/3560-146-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download
memory/3560-147-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download
memory/3560-148-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download
memory/3560-149-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download
memory/3560-150-0x0000024A1E5F0000-0x0000024A1E600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads