bbf38b1880ee037302435376852431fa870f18b0fec8662a9d7739d1087381db

General

Target

24192519fe48742134f892876e8754d9.exe
Size

1.0MB
MD5

24192519fe48742134f892876e8754d9
SHA1

cbe590d7c8682dad2d05c759df8afaf0a4b9e8a5
SHA256

0516bfd184b5240a1c441d9035faf17272bdb01651ad4458b85c59e6c27988bc
SHA512

01c4c300fa2d9747eed1aa8d489f1d95fbe70b9166e16b2117173c35dcaa64c8c1737b367ff8f117940b40383c883b4f52edb743ec97ac6049f737ad76440cf5
SSDEEP

24576:75Ctn/z/eJUqr2RX5ICkmnhWmwHH3QJOLQs+U6k7xF:pxxF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24192519fe48742134f892876e8754d9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	24192519fe48742134f892876e8754d9.exe

Executes dropped EXE 1 IoCs

Processes:

123123.exe

pid process

236 123123.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1348 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3104 timeout.exe

pid	process
236	123123.exe

pid	process
1348	schtasks.exe

pid	process
3104	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

24192519fe48742134f892876e8754d9.exe

pid	process
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe
3668	24192519fe48742134f892876e8754d9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

24192519fe48742134f892876e8754d9.exe123123.exe

description pid process

Token: SeDebugPrivilege 3668 24192519fe48742134f892876e8754d9.exe
Token: SeDebugPrivilege 236 123123.exe

description	pid	process
Token: SeDebugPrivilege	3668	24192519fe48742134f892876e8754d9.exe
Token: SeDebugPrivilege	236	123123.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

24192519fe48742134f892876e8754d9.execmd.execmd.exe

description	pid	process	target process
PID 3668 wrote to memory of 1116	3668	24192519fe48742134f892876e8754d9.exe	cmd.exe
PID 3668 wrote to memory of 1116	3668	24192519fe48742134f892876e8754d9.exe	cmd.exe
PID 3668 wrote to memory of 3340	3668	24192519fe48742134f892876e8754d9.exe	cmd.exe
PID 3668 wrote to memory of 3340	3668	24192519fe48742134f892876e8754d9.exe	cmd.exe
PID 1116 wrote to memory of 1348	1116	cmd.exe	schtasks.exe
PID 1116 wrote to memory of 1348	1116	cmd.exe	schtasks.exe
PID 3340 wrote to memory of 3104	3340	cmd.exe	timeout.exe
PID 3340 wrote to memory of 3104	3340	cmd.exe	timeout.exe
PID 3340 wrote to memory of 236	3340	cmd.exe	123123.exe
PID 3340 wrote to memory of 236	3340	cmd.exe	123123.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\24192519fe48742134f892876e8754d9.exe
"C:\Users\Admin\AppData\Local\Temp\24192519fe48742134f892876e8754d9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "123123" /tr '"C:\Users\Admin\AppData\Roaming\123123.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "123123" /tr '"C:\Users\Admin\AppData\Roaming\123123.exe"'
3⤵
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DCB.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3104

C:\Users\Admin\AppData\Roaming\123123.exe
"C:\Users\Admin\AppData\Roaming\123123.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9DCB.tmp.bat
Filesize
150B

MD5
3567c68467a75c7f0e65b0250649c98c

SHA1
5c507fe31d916d5bb0add1a56ea4894e8e93bf11

SHA256
186d84560a614c5f8ed96e2e286adaf0684aaa03e4c2e76da967cb16b3e7b4da

SHA512
e3b893ced6c9f2a072f12a4e483e37982da34da166c0bfb79fb8d5b99ffb59e17cb9a7f03c50d6248a0e311d7df1c7674a4447bf287c269498c50e274a01d5b7

Download Submit
C:\Users\Admin\AppData\Roaming\123123.exe
Filesize
1.0MB

MD5
24192519fe48742134f892876e8754d9

SHA1
cbe590d7c8682dad2d05c759df8afaf0a4b9e8a5

SHA256
0516bfd184b5240a1c441d9035faf17272bdb01651ad4458b85c59e6c27988bc

SHA512
01c4c300fa2d9747eed1aa8d489f1d95fbe70b9166e16b2117173c35dcaa64c8c1737b367ff8f117940b40383c883b4f52edb743ec97ac6049f737ad76440cf5

Download Submit
C:\Users\Admin\AppData\Roaming\123123.exe
Filesize
1.0MB

MD5
24192519fe48742134f892876e8754d9

SHA1
cbe590d7c8682dad2d05c759df8afaf0a4b9e8a5

SHA256
0516bfd184b5240a1c441d9035faf17272bdb01651ad4458b85c59e6c27988bc

SHA512
01c4c300fa2d9747eed1aa8d489f1d95fbe70b9166e16b2117173c35dcaa64c8c1737b367ff8f117940b40383c883b4f52edb743ec97ac6049f737ad76440cf5

Download Submit
memory/236-147-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/236-145-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/236-146-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/236-148-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/236-149-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/236-150-0x000001C3E9F20000-0x000001C3E9F30000-memory.dmp

Filesize
64KB

Download
memory/3668-136-0x000002E06E630000-0x000002E06E640000-memory.dmp

Filesize
64KB

Download
memory/3668-135-0x000002E06E630000-0x000002E06E640000-memory.dmp

Filesize
64KB

Download
memory/3668-134-0x000002E06E630000-0x000002E06E640000-memory.dmp

Filesize
64KB

Download
memory/3668-133-0x000002E06CAF0000-0x000002E06CB0C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads