fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e

General

Target

fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe
Size

60KB
MD5

44486b9292d58b348be382e9a021612e
SHA1

5a48e99312611933811810aa740592e3f4f69b97
SHA256

fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e
SHA512

43f0c8cf48be75bfa10f9186238ba18f6afa1b11037ede0e4c11705ae3e19b7cf991471f9b82f75c9c934935d45b57994f6d1e6729166ec1ea9a3a5697a28d02
SSDEEP

1536:ejuJw3T4JoBjYDxkxblBa18OC0lqMRxgULh4H:ejuJJJiukT8sIquBLO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	qayanyew.exe
1696	dzgvddkw.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	qayanyew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	dzgvddkw.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe
1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1964	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	28
PID 1760 wrote to memory of 1964	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	28
PID 1760 wrote to memory of 1964	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	28
PID 1760 wrote to memory of 1964	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	28
PID 1760 wrote to memory of 1696	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	30
PID 1760 wrote to memory of 1696	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	30
PID 1760 wrote to memory of 1696	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	30
PID 1760 wrote to memory of 1696	1760	fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe	30

C:\Users\Admin\AppData\Local\Temp\fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe
"C:\Users\Admin\AppData\Local\Temp\fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\ProgramData\qayanyew.exe
  "C:\ProgramData\qayanyew.exe" task=00evnt=rdaskm
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1964
- C:\ProgramData\dzgvddkw.exe
  "C:\ProgramData\dzgvddkw.exe" task=00evnt=tvjbjn
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dfsxwizssgwuscd

Filesize
52B

MD5
cca65ff3340c38e45301f8f2a2703054

SHA1
0e06e4b463bda565d95e5a11d32fb532828b85ee

SHA256
8272c0e5c4ad0bcde07afca0f073a92c7ff09b1b4c07f669d12375faa7d1549f

SHA512
08ac9a0f3d74ca3d9f026af9fc4d8aff15edad4e23ee916f3e8f1d2362eb28f2b5c663390a8db4097485f5d26848192788270db92909ff6363d0f6804d86c3f0

Download Submit
C:\ProgramData\dfsxwizssgwuscd

Filesize
52B

MD5
bb650b1803fdac3d19ac78c0d18dfdfd

SHA1
30fb371967763fa83146794f435dab4f9c3d413a

SHA256
ffe9d67b412e1a695e06a6808eb8c64042f056f8bd0480e4296bb92af23a6c8b

SHA512
4b10aa4cf8dd8cd8e5da9f660ffc46c4b188a84fa1164b47f8bc2fb558af34eb4bf58cf35387aea331f66682dba7bc2a26322fc6fbdfa70065980c0d16fb5400

Download Submit
C:\ProgramData\dzgvddkw.exe

Filesize
60KB

MD5
44486b9292d58b348be382e9a021612e

SHA1
5a48e99312611933811810aa740592e3f4f69b97

SHA256
fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e

SHA512
43f0c8cf48be75bfa10f9186238ba18f6afa1b11037ede0e4c11705ae3e19b7cf991471f9b82f75c9c934935d45b57994f6d1e6729166ec1ea9a3a5697a28d02

Download Submit
C:\ProgramData\qayanyew.exe

Filesize
60KB

MD5
44486b9292d58b348be382e9a021612e

SHA1
5a48e99312611933811810aa740592e3f4f69b97

SHA256
fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e

SHA512
43f0c8cf48be75bfa10f9186238ba18f6afa1b11037ede0e4c11705ae3e19b7cf991471f9b82f75c9c934935d45b57994f6d1e6729166ec1ea9a3a5697a28d02

Download Submit
\ProgramData\dzgvddkw.exe

Filesize
60KB

MD5
44486b9292d58b348be382e9a021612e

SHA1
5a48e99312611933811810aa740592e3f4f69b97

SHA256
fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e

SHA512
43f0c8cf48be75bfa10f9186238ba18f6afa1b11037ede0e4c11705ae3e19b7cf991471f9b82f75c9c934935d45b57994f6d1e6729166ec1ea9a3a5697a28d02

Download Submit
\ProgramData\qayanyew.exe

Filesize
60KB

MD5
44486b9292d58b348be382e9a021612e

SHA1
5a48e99312611933811810aa740592e3f4f69b97

SHA256
fd0fba3c80c32d2f0d13cae68be2f4a3d7601766adec650fac26d903e9fd934e

SHA512
43f0c8cf48be75bfa10f9186238ba18f6afa1b11037ede0e4c11705ae3e19b7cf991471f9b82f75c9c934935d45b57994f6d1e6729166ec1ea9a3a5697a28d02

Download Submit
memory/1696-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1760-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1760-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1964-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1964-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing