fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ce

General

Target

fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe
Size

334KB
MD5

2b55bfa9fe8ed2417a08e6d252f50960
SHA1

8b1f558835bb69d51784cd1bbdbffe9199a30d72
SHA256

fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ce
SHA512

6621cb07afd52d83d10be3cca7699db6915cec6e283d9d1c690136bfee7c29365b82d2fa8bf6618ef72e03a8e96b2da72cd9f8bdf25fc0b8b84531caa0d7b8b3
SSDEEP

6144:hiEEj3+LBFhz7wR9U/xLZB9KUBCgs/ikmXPr1yg6wCvBdecAPCuhObSUM:wxj3+LjBMRGhsKkmD1QwAd74+M

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe

Executes dropped EXE 2 IoCs

pid	Process
1860	Protected3.exe
464	Blackout Crypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1328	1860	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Protected3.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Blackout Crypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Blackout Crypter.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Blackout Crypter.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Blackout Crypter.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Blackout Crypter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Blackout Crypter.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe
464	Blackout Crypter.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1860	3528	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe	88
PID 3528 wrote to memory of 1860	3528	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe	88
PID 3528 wrote to memory of 1860	3528	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe	88
PID 3528 wrote to memory of 464	3528	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe	89
PID 3528 wrote to memory of 464	3528	fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe	89

C:\Users\Admin\AppData\Local\Temp\fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe
"C:\Users\Admin\AppData\Local\Temp\fa51d3f26d979a4a1c4cf78a82e53c43d6accd90430872f72fa3cfce1afc15ceN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\Protected3.exe
  "C:\Users\Admin\AppData\Local\Temp\Protected3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 268
    3⤵
    - Program crash
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\Blackout Crypter.exe
  "C:\Users\Admin\AppData\Local\Temp\Blackout Crypter.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Blackout Crypter.exe

Filesize
23KB

MD5
59f3fbd4c3132e14f75417c19b25fc7f

SHA1
337a7c42097debedfe6222fd81a5b390beba54e0

SHA256
d055aa878a6359bd50c15a2a378059e320759f5672d00fd46a4b96553b8a3bb0

SHA512
365bf4cae6733b11df630f8b1a85374f65f22b316c9c4adaa3f1b5fca83b6d708b830baa621c37093580506bd8c0415268415dc4c55e0c43878a85c25860704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protected3.exe

Filesize
253KB

MD5
9637d6da20f9f0c32aa71f0229369da1

SHA1
b5046f174c767f018658325178c9329a65b02748

SHA256
93b7cb363085041b27a02d20c90ed2249d8d349412ed5e3da56f6d2707de8a95

SHA512
fbcaccb31862740c4e17a012f0dbd2cd1bbb37f859a18456fff9026f449041bbca48c72a7ecfd5eb29d3316600f6b00760867f8d6d9cebb1ccbb77785381bd90

Download Submit
memory/464-28-0x000000001C970000-0x000000001CA0C000-memory.dmp

Filesize
624KB

Download
memory/464-29-0x0000000001800000-0x0000000001808000-memory.dmp

Filesize
32KB

Download
memory/464-24-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-26-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-25-0x000000001BE00000-0x000000001BEA6000-memory.dmp

Filesize
664KB

Download
memory/464-27-0x000000001C400000-0x000000001C8CE000-memory.dmp

Filesize
4.8MB

Download
memory/464-37-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-23-0x00007FFBFAB25000-0x00007FFBFAB26000-memory.dmp

Filesize
4KB

Download
memory/464-30-0x000000001CB10000-0x000000001CB5C000-memory.dmp

Filesize
304KB

Download
memory/464-31-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-32-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-33-0x00007FFBFAB25000-0x00007FFBFAB26000-memory.dmp

Filesize
4KB

Download
memory/464-34-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/464-36-0x00007FFBFA870000-0x00007FFBFB211000-memory.dmp

Filesize
9.6MB

Download
memory/3528-22-0x0000000000010000-0x0000000000069000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing