007baf0d208771b6a5a062be5f1f253a25938173ebe4c5e0eddf7f79cb9c490b

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pharmacy_3_0_160602.exe
Size

17.3MB
MD5

5aaf9402d58fe541fe4e5ec094f668ff
SHA1

73e87b91c74c73d02588c38854a672798318ecb5
SHA256

007baf0d208771b6a5a062be5f1f253a25938173ebe4c5e0eddf7f79cb9c490b
SHA512

f093eb1ec320f65b064cf7a13c53087e6cff361f073b5e475919ed653700a5588f49feab6160f05008ddcd7faa0489d2cbaa0504802820b54f686d278c8d9841
SSDEEP

393216:5NLmbUSnNiT/V9vo5bm3j7ysa+38cyUzghqZYS99hS2GdtPR:nmziN9vIm3ysvM1UQn8hidtp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	pharmacy_3_0_160602.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	pharmacy_3_0.exe

Loads dropped DLL 4 IoCs

pid	Process
2692	pharmacy_3_0.exe
2692	pharmacy_3_0.exe
2692	pharmacy_3_0.exe
2692	pharmacy_3_0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1968	pharmacy_3_0_160602.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	pharmacy_3_0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2692	1968	pharmacy_3_0_160602.exe	85
PID 1968 wrote to memory of 2692	1968	pharmacy_3_0_160602.exe	85
PID 1968 wrote to memory of 2692	1968	pharmacy_3_0_160602.exe	85

C:\Users\Admin\AppData\Local\Temp\pharmacy_3_0_160602.exe
"C:\Users\Admin\AppData\Local\Temp\pharmacy_3_0_160602.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe
  "C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Micard-Lana\Pharmacy_3_0\USI_lib_0x20.dll

Filesize
216KB

MD5
9ac74a95715de2fbb300db1c3568a594

SHA1
cdad9b768a875833a8f6bc86ae53649a48275280

SHA256
a60d63ebfd858bfcaddc0c187cad81128703c21a60e948a7d2b2fa700547169e

SHA512
8aa152e209a1246d04a416e185c63aa4c92a23bcf680e32b733e7aa828d88da9affe0e9e3c158714c2890a1bac084cb554ed74a52e7e8b4d660d28d9737fbb5c

Download Submit
C:\Micard-Lana\Pharmacy_3_0\bluetooth.dll

Filesize
68KB

MD5
d99dce2272ab741767ba9f515e721ef9

SHA1
ba57d1b050318ced63a89a12ee6f813f3b6b6415

SHA256
c40c7ca82e2c392a51b69acfbbb7d0068709bbe562b749c783b0b85b5e1f6934

SHA512
ef815e9cb02181100278a57daa65bca11e8d274ed0ec427b9b96cad1c913f7b7db2756aaa787eb33b62a315a8338355b6d2909f445d1279e5d5f70fdeab247e2

Download Submit
C:\Micard-Lana\Pharmacy_3_0\bluetooth.dll

Filesize
68KB

MD5
d99dce2272ab741767ba9f515e721ef9

SHA1
ba57d1b050318ced63a89a12ee6f813f3b6b6415

SHA256
c40c7ca82e2c392a51b69acfbbb7d0068709bbe562b749c783b0b85b5e1f6934

SHA512
ef815e9cb02181100278a57daa65bca11e8d274ed0ec427b9b96cad1c913f7b7db2756aaa787eb33b62a315a8338355b6d2909f445d1279e5d5f70fdeab247e2

Download Submit
C:\Micard-Lana\Pharmacy_3_0\libfftw3-3.dll

Filesize
2.3MB

MD5
fa3e0a8ba3d210d80ac31aa02d2f5b6b

SHA1
0b645437c808f3cd85881802cd73d920cb0d2524

SHA256
9a1c6f59eddd4fa2dd4f4c31d1bbaab88d2843712d5283fd4e674c93f6540d1f

SHA512
fa1d05de2192fe6e8391e18e542dc8585081fac7cc62a4dc0da62f69c4b45879a7115a1499367fcbb22d00340952c67da0cd694d0f594db9e94755db014db4b1

Download Submit
C:\Micard-Lana\Pharmacy_3_0\libfftw3-3.dll

Filesize
2.3MB

MD5
fa3e0a8ba3d210d80ac31aa02d2f5b6b

SHA1
0b645437c808f3cd85881802cd73d920cb0d2524

SHA256
9a1c6f59eddd4fa2dd4f4c31d1bbaab88d2843712d5283fd4e674c93f6540d1f

SHA512
fa1d05de2192fe6e8391e18e542dc8585081fac7cc62a4dc0da62f69c4b45879a7115a1499367fcbb22d00340952c67da0cd694d0f594db9e94755db014db4b1

Download Submit
C:\Micard-Lana\Pharmacy_3_0\mtp.DLL

Filesize
16KB

MD5
00de3e23cf30f197ea60abb67c3a801b

SHA1
0ef566c8f493f55464d5c74ac01ecc790a408ee4

SHA256
42922b20694e680f569f7d48252d8d9f27cdef2beda34cfb4751995831f9d1b1

SHA512
1f7551ea799db7b636ee239b7124a212e41a390a3e669e64ece5e28b5da04d89fcb0ec01e0620bc04af02a17ca64280b6be1b977b1a5e4abd9f4c271ba0dc5d7

Download Submit
C:\Micard-Lana\Pharmacy_3_0\mtp.dll

Filesize
16KB

MD5
00de3e23cf30f197ea60abb67c3a801b

SHA1
0ef566c8f493f55464d5c74ac01ecc790a408ee4

SHA256
42922b20694e680f569f7d48252d8d9f27cdef2beda34cfb4751995831f9d1b1

SHA512
1f7551ea799db7b636ee239b7124a212e41a390a3e669e64ece5e28b5da04d89fcb0ec01e0620bc04af02a17ca64280b6be1b977b1a5e4abd9f4c271ba0dc5d7

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
26.9MB

MD5
504ceae1fe64224b7439c99d36edc45b

SHA1
188d77cd4496f0bd4b3e428b95eb054563bf6aa0

SHA256
d4d664e42a31eed65e17733c3381dfd7d6c2d951c84168b42fdc9d47d8ff0672

SHA512
546ea76158a6301f535fa67a8aec1cbdeac377eace7d51eedb3448ce6672cf20ead1748390254b0917dbc53e5296445d3a70fcd65f56947b4c3b9981c092274f

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
26.9MB

MD5
504ceae1fe64224b7439c99d36edc45b

SHA1
188d77cd4496f0bd4b3e428b95eb054563bf6aa0

SHA256
d4d664e42a31eed65e17733c3381dfd7d6c2d951c84168b42fdc9d47d8ff0672

SHA512
546ea76158a6301f535fa67a8aec1cbdeac377eace7d51eedb3448ce6672cf20ead1748390254b0917dbc53e5296445d3a70fcd65f56947b4c3b9981c092274f

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pharmacy_3_0.exe

Filesize
26.9MB

MD5
504ceae1fe64224b7439c99d36edc45b

SHA1
188d77cd4496f0bd4b3e428b95eb054563bf6aa0

SHA256
d4d664e42a31eed65e17733c3381dfd7d6c2d951c84168b42fdc9d47d8ff0672

SHA512
546ea76158a6301f535fa67a8aec1cbdeac377eace7d51eedb3448ce6672cf20ead1748390254b0917dbc53e5296445d3a70fcd65f56947b4c3b9981c092274f

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pic.dll

Filesize
110KB

MD5
bacfc0c9470acfbdf6212d79cb214027

SHA1
724dbb2618e15a10bfe83bb211c7d6562cd5f148

SHA256
d1af88fb4d7fd850748f049426edb7001c7d58ad1ccaff8f50474b493f8061cf

SHA512
e091af1445afdee144e31dd0b977983e56ab3f86540e9333d1653fae088a47adcc817034d91353528cd1e9945b95135b2f583c7cc809dd08df91422edb0965d6

Download Submit
C:\Micard-Lana\Pharmacy_3_0\pic.dll

Filesize
110KB

MD5
bacfc0c9470acfbdf6212d79cb214027

SHA1
724dbb2618e15a10bfe83bb211c7d6562cd5f148

SHA256
d1af88fb4d7fd850748f049426edb7001c7d58ad1ccaff8f50474b493f8061cf

SHA512
e091af1445afdee144e31dd0b977983e56ab3f86540e9333d1653fae088a47adcc817034d91353528cd1e9945b95135b2f583c7cc809dd08df91422edb0965d6

Download Submit
\??\c:\Micard-Lana\Pharmacy_3_0\oktmo.db

Filesize
14.6MB

MD5
2c278b47e8273751d4de23165ee41c8e

SHA1
059d2f23a6a126e1bd86f8ad522384aa913903b0

SHA256
620851dd6f9ef358ed5460856ca5fe6965210eb70f8718be40e2f29ef12346cc

SHA512
f75c361f80b84b57233575ded015ac605baef3177252007004651fa052f3a79bc2fabc4a57b66ee28cf4d0a503fe133a940143ffd31687a99d94e3f368ef41ab

Download Submit
memory/2692-186-0x0000000070680000-0x0000000070886000-memory.dmp

Filesize
2.0MB

Download
memory/2692-197-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-187-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-189-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-191-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-193-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-195-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-185-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-199-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-201-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-203-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-205-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-207-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-209-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download
memory/2692-211-0x0000000000400000-0x0000000001EF9000-memory.dmp

Filesize
27.0MB

Download