8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e

General

Target

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
Size

2.8MB
MD5

b35ba959f3d42c9902336dc2d3a0c9b9
SHA1

bf675713b46652024da9093a6f4fe90a5c7b577f
SHA256

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e
SHA512

7a8659ba49cbb8bd4c315dd3da4b9bb8d65ae97b391befb57b54ae7e4678d01d380ec5e8c1df1f0cfbd0b60e3dc922a0a5d5d99cd713690ff8e313d244996f80
SSDEEP

49152:NUCCeDMTHzLlCT3ZF4tn+vc2lxehaXGpudG5cJpbhrba:vvMTHdCT3ktnUcixlGKb8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SubRangs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SubRangs.exe

Executes dropped EXE 2 IoCs

Processes:

SubRangs.exeInternet Explorer.exe

pid process

1224 SubRangs.exe
1064 Internet Explorer.exe
Loads dropped DLL 3 IoCs

Processes:

SubRangs.exe

pid process

1224 SubRangs.exe
1224 SubRangs.exe
1224 SubRangs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1224	SubRangs.exe
1064	Internet Explorer.exe

pid	process
1224	SubRangs.exe
1224	SubRangs.exe
1224	SubRangs.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exeSubRangs.exeInternet Explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SubRangs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Internet Explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe

pid	process
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exeSubRangs.exe

pid	process
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
1224	SubRangs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.execmd.exeSubRangs.exe

description	pid	process	target process
PID 4492 wrote to memory of 3280	4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe	cmd.exe
PID 4492 wrote to memory of 3280	4492	8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe	cmd.exe
PID 3280 wrote to memory of 1224	3280	cmd.exe	SubRangs.exe
PID 3280 wrote to memory of 1224	3280	cmd.exe	SubRangs.exe
PID 3280 wrote to memory of 1224	3280	cmd.exe	SubRangs.exe
PID 1224 wrote to memory of 1064	1224	SubRangs.exe	Internet Explorer.exe
PID 1224 wrote to memory of 1064	1224	SubRangs.exe	Internet Explorer.exe
PID 1224 wrote to memory of 1064	1224	SubRangs.exe	Internet Explorer.exe

C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
"C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492
- \??\c:\windows\system32\cmd.exe
  c:\windows\sysnative\cmd /c "C:\Windows\Temp\SubRangs.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\Temp\SubRangs.exe
    C:\Windows\Temp\SubRangs.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\Temp\Internet Explorer.exe
      "C:\Windows\Temp\Internet Explorer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr

Filesize
1.2MB

MD5
a6a397b67ebac717e7ec095bf9b597ee

SHA1
80c7459654f3564c0cb74a47398d48e0f02cb82f

SHA256
847fbe068ff90112d9b76c04587439ee3a3866d8c60466bb4673491d94ddfd89

SHA512
0eb5528a4aad4458feddbefb5347d0e2cd84d6240a341ccc425d6ed98d15d8588d8635f21d30af389a2af5ac9537bea56a1d97530ac90e965989e296f1c5d8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N60005\shell.fne

Filesize
60KB

MD5
98174c8c2995000efbda01e1b86a1d4d

SHA1
7e71a5a029a203e4ab0afc68eee18c39f4ab4097

SHA256
90284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6

SHA512
a37059062a99cd2a9fae15850b49068752ccf0be9f1d86c3f812a689b7c4d024771ec2b66adf9ce950bc5b8b117d457aba87d586cf112a1a30239531bfc8cd06

Download Submit
C:\Windows\Temp\Internet Explorer.exe

Filesize
1.1MB

MD5
cbd351fc93b61ca74898d8183d36d9a2

SHA1
3c1ad1055438642571e4160c213bb563085d640c

SHA256
ebc9ed2855d5847894414e9e72b729d978d46d8ec81335ae6e1fc3432a838069

SHA512
ee4f6897c91e37571d8c1c929593f7aecfbaad5aa6ca896a035203df285d1bc33f3c042f5850e5433d7c599f33371b6de0c527787abc93c581d27d8b190224d3

Download Submit
C:\Windows\Temp\SubRangs.exe

Filesize
666KB

MD5
a48c8e538d62c65ca94d7651f1364f37

SHA1
41a9fe6d151b2880cc4ea37885c4430d353e8159

SHA256
e4e34957dfa20c6cd73cc5e1a4d800079d3eeab4899cf2e72cb876da662179ec

SHA512
cf900db3656f47ae5c78a1831647e570967e1011a0f50db47ef99438293a071b8e3eb9b1bcf32f393a9d32ff31e8176b9f0da4fd59dca99777f2160b11f2dd79

Download Submit
memory/1064-20-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1064-21-0x0000000075FD0000-0x00000000761E5000-memory.dmp

Filesize
2.1MB

Download
memory/1064-3264-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/1224-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1224-14-0x0000000002090000-0x00000000020A5000-memory.dmp

Filesize
84KB

Download
memory/1224-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads