ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13

General

Target

ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe
Size

421KB
MD5

5fc4c26af77c3ab81417b6dfd9975004
SHA1

183a060d2e2864990cc732e451e416d2475fdc85
SHA256

ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13
SHA512

83cb849a719c0ecbb162e27f9bfda486513223bb07b4dffe641668d55dcde3f2682894c80492b48922a826d4395667b898804779327cf33b0c982f6464b2e16b
SSDEEP

12288:Szy6rRxEUzGcZzqWrps18NbX4QsmD4lKBzIe:Z6rTd51ls18F4QrDtBX

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4700	1.exe
2016	urlcore.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002316d-139.dat	upx
behavioral2/files/0x000600000002316d-140.dat	upx
behavioral2/memory/2016-141-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/2016-142-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urlspace = "c:\\bootre\\urlcore.exe -h"	urlcore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	urlcore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2016	urlcore.exe
Token: SeIncBasePriorityPrivilege	2016	urlcore.exe
Token: 33	2016	urlcore.exe
Token: SeIncBasePriorityPrivilege	2016	urlcore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2016	urlcore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2016	urlcore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4700	1.exe
2016	urlcore.exe
2016	urlcore.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4700	2368	ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe	85
PID 2368 wrote to memory of 4700	2368	ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe	85
PID 2368 wrote to memory of 4700	2368	ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe	85
PID 4700 wrote to memory of 5004	4700	1.exe	86
PID 4700 wrote to memory of 5004	4700	1.exe	86
PID 4700 wrote to memory of 5004	4700	1.exe	86
PID 5004 wrote to memory of 2016	5004	cmd.exe	88
PID 5004 wrote to memory of 2016	5004	cmd.exe	88
PID 5004 wrote to memory of 2016	5004	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe
"C:\Users\Admin\AppData\Local\Temp\ae03a486090f28faed381caf337f85f73db646d263eeeaacfc90e17dd6d77d13.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368
- C:\bootre\1.exe
  "C:\bootre\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "c:\bootre\urlcore.exe /h /r /t /b 1753068"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - \??\c:\bootre\urlcore.exe
      c:\bootre\urlcore.exe /h /r /t /b 1753068
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bootre\1.exe

Filesize
16KB

MD5
8fe53f1ebae6ce30cff8183d865fd38b

SHA1
32b96178c4c03a04b2786fbdb5d63b19197c3f7e

SHA256
08171b4a15d891b9747a159903002e2f879fc5c712c0d7ce0238754abc38dd0a

SHA512
1ca8d41bb55a748d5a65fa815ca627c5652a77726ed5dede0147791a16827c39d16813073ca03bff9fce4457d135cc581a7fa62bd4d7df6bca7127368e032bd8

Download Submit
C:\bootre\1.exe

Filesize
16KB

MD5
8fe53f1ebae6ce30cff8183d865fd38b

SHA1
32b96178c4c03a04b2786fbdb5d63b19197c3f7e

SHA256
08171b4a15d891b9747a159903002e2f879fc5c712c0d7ce0238754abc38dd0a

SHA512
1ca8d41bb55a748d5a65fa815ca627c5652a77726ed5dede0147791a16827c39d16813073ca03bff9fce4457d135cc581a7fa62bd4d7df6bca7127368e032bd8

Download Submit
C:\bootre\urlcore.exe

Filesize
335KB

MD5
687414bc735030cf270bb2a376d23162

SHA1
b6b661b52625b26b23afab5b60adac2b934b6892

SHA256
085f35dde8e0446cc83ae8c7a04b63f831b63567408c8ae077a826ee74bf45ec

SHA512
0cfccfc924aaf4b8e6fec76190b8888f41103874d426fff19763d07161535348a9daeba6ea6d93fac28325f3b2b79f6e009c1bf0e65c749347806afae87b0488

Download Submit
\??\c:\bootre\urlcore.exe

Filesize
335KB

MD5
687414bc735030cf270bb2a376d23162

SHA1
b6b661b52625b26b23afab5b60adac2b934b6892

SHA256
085f35dde8e0446cc83ae8c7a04b63f831b63567408c8ae077a826ee74bf45ec

SHA512
0cfccfc924aaf4b8e6fec76190b8888f41103874d426fff19763d07161535348a9daeba6ea6d93fac28325f3b2b79f6e009c1bf0e65c749347806afae87b0488

Download Submit
memory/2016-141-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2016-142-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads