55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

General

Target

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
Size

1.2MB
MD5

244db981bea51bcb8ed7b591de3c15af
SHA1

c57b2aed176c8bccf599fba290e43a945e46df4e
SHA256

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f
SHA512

c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9
SSDEEP

12288:WpQzNWXXasPZqhm0AVlKeSeSofbU1RVBdw5DSd2zGBkzxrlNIQR1dVubUGKN5J93:W5asB+lKbUuaBkz7uUpnRm3UUc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

oiesczh.exeoiesczh.exe

pid process

4552 oiesczh.exe
3172 oiesczh.exe

pid	process
4552	oiesczh.exe
3172	oiesczh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exeoiesczh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	oiesczh.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exeoiesczh.exe

description	pid	process	target process
PID 2548 set thread context of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 4552 set thread context of 3172	4552	oiesczh.exe	oiesczh.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exeoiesczh.exeoiesczh.exe

pid	process
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
332	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
332	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
4552	oiesczh.exe
4552	oiesczh.exe
4552	oiesczh.exe
4552	oiesczh.exe
3172	oiesczh.exe
3172	oiesczh.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exeoiesczh.exe

pid	process
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
4552	oiesczh.exe
4552	oiesczh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exeoiesczh.exe

description	pid	process	target process
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 2548 wrote to memory of 332	2548	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe	55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe
PID 4552 wrote to memory of 3172	4552	oiesczh.exe	oiesczh.exe

C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
"C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
C:\Users\Admin\AppData\Local\Temp\55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Packages\qhpndfn
Filesize
654B

MD5
f4e4d3e20ff024031d43b3f7af431847

SHA1
558e7f4be945869a6a08941aaee10664233391e2

SHA256
0552e7a99d25784078de20216ebf5a95675454a54c2716e65fdd1fe6a000dee8

SHA512
1bfaf1a7fd6bcc534efdfcbe89413c148abe6c504e9b0e7f469ad4bd28646feb2ed4b96b41b43bc0d6aba6606b41ec7cc52ff6167cb59fa236da9b139fcbabb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oiesczh.exe
Filesize
1.2MB

MD5
244db981bea51bcb8ed7b591de3c15af

SHA1
c57b2aed176c8bccf599fba290e43a945e46df4e

SHA256
55d815c340f400703d67a90337d27913abee6b2167cafedef7832f623830a17f

SHA512
c876674168de5a401d1423f9221705da7ccc5a342dd1a0a69fc3f9603388ed90958aff9fd29df3b6f2def4fc80ee73fc7d803a94923c1c2ab3226742e045d1a9

Download Submit
memory/332-132-0x0000000000000000-mapping.dmp

Download
memory/332-133-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/332-136-0x0000000000760000-0x0000000000970000-memory.dmp

Filesize
2.1MB

Download
memory/332-137-0x0000000000970000-0x0000000000BB1000-memory.dmp

Filesize
2.3MB

Download
memory/332-138-0x0000000000400000-0x00000000004A6E00-memory.dmp

Filesize
667KB

Download
memory/2548-135-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download
memory/3172-141-0x0000000000000000-mapping.dmp

Download
memory/3172-146-0x00000000008B0000-0x0000000000AF1000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads