93465cd89175bd96c5200942aace1cf2acc9384ff1f028f1e845757ade82361b

General

Target

f019c781190cefb52a2ddde54379d29d.exe
Size

110KB
MD5

f019c781190cefb52a2ddde54379d29d
SHA1

db345587033eb8a26fd0edd6ee8492faac76ac40
SHA256

93465cd89175bd96c5200942aace1cf2acc9384ff1f028f1e845757ade82361b
SHA512

fd3335a31f5133274039fd5bff4bd89f0bd19c787de79ffc97a7c0f07985f783fd625a5404206b344b3f0ce0656ca6a71e8633e608832fb8dac424cf01075b99
SSDEEP

1536:J5C4c7H718iZJmhKhdoaIkcXTLjfWidbGPECG+1+2PwuLJWj9a53HMGvEXg4:q//18iZMhKhI+ubNLmLq9KHMzg4

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4908	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	APIWrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation	f019c781190cefb52a2ddde54379d29d.exe

Executes dropped EXE 1 IoCs

pid	Process
3460	APIWrapper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ASB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APIWrapper.exe"	APIWrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings	f019c781190cefb52a2ddde54379d29d.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1868	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3460	APIWrapper.exe
3460	APIWrapper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	APIWrapper.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1868	4244	f019c781190cefb52a2ddde54379d29d.exe	83
PID 4244 wrote to memory of 1868	4244	f019c781190cefb52a2ddde54379d29d.exe	83
PID 4244 wrote to memory of 1868	4244	f019c781190cefb52a2ddde54379d29d.exe	83
PID 4244 wrote to memory of 3460	4244	f019c781190cefb52a2ddde54379d29d.exe	86
PID 4244 wrote to memory of 3460	4244	f019c781190cefb52a2ddde54379d29d.exe	86
PID 4244 wrote to memory of 3460	4244	f019c781190cefb52a2ddde54379d29d.exe	86
PID 3460 wrote to memory of 4908	3460	APIWrapper.exe	89
PID 3460 wrote to memory of 4908	3460	APIWrapper.exe	89
PID 3460 wrote to memory of 4908	3460	APIWrapper.exe	89
PID 3460 wrote to memory of 944	3460	APIWrapper.exe	91
PID 3460 wrote to memory of 944	3460	APIWrapper.exe	91
PID 3460 wrote to memory of 944	3460	APIWrapper.exe	91
PID 944 wrote to memory of 4508	944	net.exe	93
PID 944 wrote to memory of 4508	944	net.exe	93
PID 944 wrote to memory of 4508	944	net.exe	93

C:\Users\Admin\AppData\Local\Temp\f019c781190cefb52a2ddde54379d29d.exe
"C:\Users\Admin\AppData\Local\Temp\f019c781190cefb52a2ddde54379d29d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NTT_Customer_Notification.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4908
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\APIWrapper.exe

Filesize
34KB

MD5
137fe32ac41f7b73d21219051e037185

SHA1
b1fed2c1257823f4cfbe9c0fdd6207177330a7e3

SHA256
1a8149494ae9f8e0e827080c8c38774eac995de4fd12ae4204448c28c17b2e96

SHA512
db930108bb13c82d0059bc3a086d8f14100475f76644ad292bf37c2f7a42e74a9a7ffea9e7a183211c04114b470eebff88249a0efe862944998efd686bad48be

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTT_Customer_Notification.txt

Filesize
919B

MD5
a245be3b944db50a32f5fd7b0073872f

SHA1
b97cf469bbbba82e8e691c36acf20f4fd2765ec3

SHA256
d22ccc3b5bf14f94cfc77e4c7a9aac648452ee0e80f903bf02d1b6e59faacbed

SHA512
2908486e66e574cc05825288dd382dc3e4627c885c889b1e779bebed8d218f5d6488223db9cacfdc7bbb4a094c3c9cab4f7be8cd9bbdce4d5fb18fce210cb345

Download Submit
memory/3460-149-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/3460-150-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/3460-151-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/3460-152-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/3460-153-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/3460-154-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing