0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8

General

Target

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe
Size

212KB
MD5

9951b7f5344d5d0e6728f90c1ffd0a3f
SHA1

5252a37cc0c4171f6261fbcc418d4fca83f0a543
SHA256

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8
SHA512

2ce934dbeb9888e8125856d0158f23a6c5d007a55f9d71287e308bcf312674642496a1f2aadfe276361b5c4945e37a5c3edde3be83dbdb8d531123fb2335f50f
SSDEEP

3072:skoemwJEECCvcVbQQFrUoR19V6To0Hqs3WvQ:ZEECCElQk3wqFQ

Score

9^/10

Malware Config

Signatures

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3696-4-0x00007FF6C9770000-0x00007FF6C9B07000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

pid	process
1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe
1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe
1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe
1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

description pid process

Token: SeDebugPrivilege 1524 0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

description	pid	process
Token: SeDebugPrivilege	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1524 wrote to memory of 2636	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	sihost.exe
PID 1524 wrote to memory of 4516	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 1524 wrote to memory of 4516	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 4516 wrote to memory of 2052	4516	net.exe	net1.exe
PID 4516 wrote to memory of 2052	4516	net.exe	net1.exe
PID 1524 wrote to memory of 3768	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 1524 wrote to memory of 3768	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 3768 wrote to memory of 3316	3768	net.exe	net1.exe
PID 3768 wrote to memory of 3316	3768	net.exe	net1.exe
PID 1524 wrote to memory of 2728	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	svchost.exe
PID 1524 wrote to memory of 1972	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 1524 wrote to memory of 1972	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	net.exe
PID 1972 wrote to memory of 4048	1972	net.exe	net1.exe
PID 1972 wrote to memory of 4048	1972	net.exe	net1.exe
PID 1524 wrote to memory of 2976	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	taskhostw.exe
PID 1524 wrote to memory of 3696	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	svchost.exe
PID 1524 wrote to memory of 3896	1524	0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe	DllHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2728

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe
"C:\Users\Admin\AppData\Local\Temp\0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "spooler" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "spooler" /y
    3⤵
    PID:2052
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3316
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-0-0x00007FF6C9770000-0x00007FF6C9B07000-memory.dmp

Filesize
3.6MB

Download
memory/3696-4-0x00007FF6C9770000-0x00007FF6C9B07000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads