8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f

General

Target

8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
Size

666KB
MD5

07478a5c4795897c09745378c750f8ca
SHA1

1ae0911fd5fa57d1b94ecef287af30d4845c3019
SHA256

8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f
SHA512

5af0fde061350ee63b8e0b31104397c4be2ceacbba2ba08557c9872b6fefc676676f18b0f51d4d2504d1b0f5c8123d004e262e77cb4697867cb6406e26ce56b2
SSDEEP

12288:JcrNS33L10QdrX4FBojL8DPNYnzENFuUftj8Y+JxeIlTPYQZjDa321uz:0NA3R5drX4GcPNYo7vljEUIlLY+Da34K

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	zxdfser.exe

Executes dropped EXE 3 IoCs

pid	Process
2884	zxdfser.exe
4808	yunkynotes.exe
540	yunkynotes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 540	4808	yunkynotes.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4364	540	WerFault.exe	96

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings	zxdfser.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1420	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	yunkynotes.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4520	3980	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	86
PID 3980 wrote to memory of 4520	3980	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	86
PID 3980 wrote to memory of 4520	3980	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	86
PID 4520 wrote to memory of 2884	4520	cmd.exe	89
PID 4520 wrote to memory of 2884	4520	cmd.exe	89
PID 4520 wrote to memory of 2884	4520	cmd.exe	89
PID 2884 wrote to memory of 4808	2884	zxdfser.exe	90
PID 2884 wrote to memory of 4808	2884	zxdfser.exe	90
PID 2884 wrote to memory of 4808	2884	zxdfser.exe	90
PID 2884 wrote to memory of 1420	2884	zxdfser.exe	92
PID 2884 wrote to memory of 1420	2884	zxdfser.exe	92
PID 2884 wrote to memory of 1420	2884	zxdfser.exe	92
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96
PID 4808 wrote to memory of 540	4808	yunkynotes.exe	96

C:\Users\Admin\AppData\Local\Temp\8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ystickyrealen34.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\zxdfser.exe
    zxdfser.exe -pqoutgfbdmsigsohdfuishgrkgysgfghsithngmkaswodtyuiofxvflfadfdyehngfszafugyRygfysrsoihfihgsoirsugsudbfrgsfskfshbrhhguhrhgnmePvqxsSb -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
      "C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
        
        C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
        5⤵
        Executes dropped EXE
        
        PID:540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 80
        6⤵
        Program crash
        
        PID:4364
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\OdemeInfo.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 540 -ip 540
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ystickyrealen34.cmd

Filesize
19KB

MD5
1b55772b37920b2ecf27a077fa10a82c

SHA1
812bd60efdb5befa5e19852f4875f30c77a81922

SHA256
ab9f1e57aedb0f8c5912e00bf9d93a1a3b2cc25db971bad4c633a0a529cfaa27

SHA512
f74624f441151bfe7a4421ee5aa962dcf074ceb9ca2feb1712bb4947b1b22de88b2570e6d7870b473d629165994ca0ed704a0038fb55f284fa60f957a9bed5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxdfser.exe

Filesize
428KB

MD5
5fd800cb1df5f757e1d5dcc8cb2433e6

SHA1
bac9641fbdc9c6d5ad69bd8b9dcbb564fe478552

SHA256
57e333d9c1199d0be9b3219d1f510c62ce366227828e8cd49442a6c5785d644a

SHA512
06e93672eca7e5df8d6e2d18f44da9926be0019d2f8680c2c9b70c3aa505e49582cad3d2d9ee329bccc58974693af5090ee419c63c47c7655a88b5b547c8bc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxdfser.exe

Filesize
428KB

MD5
5fd800cb1df5f757e1d5dcc8cb2433e6

SHA1
bac9641fbdc9c6d5ad69bd8b9dcbb564fe478552

SHA256
57e333d9c1199d0be9b3219d1f510c62ce366227828e8cd49442a6c5785d644a

SHA512
06e93672eca7e5df8d6e2d18f44da9926be0019d2f8680c2c9b70c3aa505e49582cad3d2d9ee329bccc58974693af5090ee419c63c47c7655a88b5b547c8bc00

Download Submit
memory/4808-24-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/4808-23-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download
memory/4808-25-0x0000000008080000-0x00000000080BA000-memory.dmp

Filesize
232KB

Download
memory/4808-26-0x0000000008160000-0x00000000081FC000-memory.dmp

Filesize
624KB

Download
memory/4808-27-0x00000000087B0000-0x0000000008D54000-memory.dmp

Filesize
5.6MB

Download
memory/4808-28-0x00000000082A0000-0x0000000008332000-memory.dmp

Filesize
584KB

Download
memory/4808-29-0x00000000033A0000-0x00000000033A6000-memory.dmp

Filesize
24KB

Download
memory/4808-22-0x0000000000FF0000-0x0000000001024000-memory.dmp

Filesize
208KB

Download
memory/4808-33-0x0000000072990000-0x0000000073140000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing