c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182

Analysis

max time kernel
143s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe
Size

1.1MB
MD5

83804c210ecdae26f284783ae9ed4cd0
SHA1

6f2d34c95b6d4313074ff8111ebbe27ab76fdb70
SHA256

c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182
SHA512

163f981bdd618ce00f85dd00aa31e04ce972f9004a1e26f65251fb044c4e371b34f4c6dc3de904e0c2e69e3b01b9916923fb904ab29e625476b65f83aaad0f0a
SSDEEP

24576:wTbBv5rUk0FHSdWGawARX8l45tHwoD9sfBnX7SWXMdAfRd//PA:iB3aydWZRX8l45tHwoDaRXPMUlA

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Control Panel\International\Geo\Nation	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	rehir.bmp
3060	RegSvcs.exe
2516	RegSvcs.exe

Loads dropped DLL 4 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe
2600	rehir.bmp
2600	rehir.bmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rehir.bmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\uabt\\rehir.bmp 0\\uabt\\fgbd.xml"	rehir.bmp

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 3060	2600	rehir.bmp	39
PID 2600 set thread context of 2516	2600	rehir.bmp	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2940	ipconfig.exe
2708	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3060	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe
3060	RegSvcs.exe
3060	RegSvcs.exe
2516	RegSvcs.exe
2516	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	RegSvcs.exe
Token: SeDebugPrivilege	2516	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2656	2188	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	28
PID 2188 wrote to memory of 2656	2188	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	28
PID 2188 wrote to memory of 2656	2188	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	28
PID 2188 wrote to memory of 2656	2188	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	28
PID 2656 wrote to memory of 2544	2656	wscript.exe	29
PID 2656 wrote to memory of 2544	2656	wscript.exe	29
PID 2656 wrote to memory of 2544	2656	wscript.exe	29
PID 2656 wrote to memory of 2544	2656	wscript.exe	29
PID 2656 wrote to memory of 2704	2656	wscript.exe	31
PID 2656 wrote to memory of 2704	2656	wscript.exe	31
PID 2656 wrote to memory of 2704	2656	wscript.exe	31
PID 2656 wrote to memory of 2704	2656	wscript.exe	31
PID 2544 wrote to memory of 2940	2544	cmd.exe	33
PID 2544 wrote to memory of 2940	2544	cmd.exe	33
PID 2544 wrote to memory of 2940	2544	cmd.exe	33
PID 2544 wrote to memory of 2940	2544	cmd.exe	33
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2656 wrote to memory of 2576	2656	wscript.exe	35
PID 2656 wrote to memory of 2576	2656	wscript.exe	35
PID 2656 wrote to memory of 2576	2656	wscript.exe	35
PID 2656 wrote to memory of 2576	2656	wscript.exe	35
PID 2576 wrote to memory of 2708	2576	cmd.exe	37
PID 2576 wrote to memory of 2708	2576	cmd.exe	37
PID 2576 wrote to memory of 2708	2576	cmd.exe	37
PID 2576 wrote to memory of 2708	2576	cmd.exe	37
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 3060	2600	rehir.bmp	39
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38
PID 2600 wrote to memory of 2516	2600	rehir.bmp	38

C:\Users\Admin\AppData\Local\Temp\c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe
"C:\Users\Admin\AppData\Local\Temp\c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" cjn.vbe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rehir.bmp fgbd.xml
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp
      rehir.bmp fgbd.xml
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HMCIMV~1.NME

Filesize
365KB

MD5
818a00c426a585e001d6419bb89ec5be

SHA1
5b5eee5176671b94d89fbdcf27d15e94cba57384

SHA256
3b18e4ba7c2940ad5d2823fd3018ecffde16f90ba42adfe15f88f049981d43c4

SHA512
47a4bd661345eb27dfe186d6d63b464bd7ae7fafb83c45762196a5e8780171d6495436d6115437d7a399502c320226c44eee5d4391cf075c5ef45896b69d6cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cjn.vbe

Filesize
32KB

MD5
117a1a3967552259fb9d8a74bda44aa1

SHA1
ea3302d955d62d293012d0878c3bc72bfcafd1f2

SHA256
0d14bc164111e7e33c68219a5363296331d21df5d72be18fcd02687c5a535004

SHA512
dba9ef77d86e54df3e8555f4f18292386d0a306e7ceab0c64271107115a0be35d6827aed813a4b2a5c4a125cf70974444967d01816b15daff083ecc9ba76463c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dkcjnkkkv.pdf

Filesize
40KB

MD5
c0885afd0acfe90b243ce6ffb39c5e1f

SHA1
70a78552df1e677b1b8b40707d24cced5dc2507d

SHA256
5f4adf4f563a94ebed12afcc47583b0f8fac74b096e184b3eadc8a6f29e907b7

SHA512
e296efb8eeafce6a6dda44a309c535e5a5747ac7755643284ae30dd02cf5a24aa7c1f072c6791480b243f38822f611bf10ca66baa6bd27b2f32ffaaea256329c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fgbd.xml

Filesize
99.8MB

MD5
4363a4964923969173f474bbc64d1d36

SHA1
a689fadd583b2b768cf0de495db3003396f32791

SHA256
d8f5866180aee6bee958ec2c600a174c78929438271e7a1065a1a351fc724165

SHA512
04fe8985dd4a3b9d6c368b8dc5a921a53954d357038f4b7b66e62dd4d00885a2c6eb9905a1155c9724b99b08aea0352684179c4d85b1a904dcb29920dae7f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2516-195-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/2516-192-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/2516-197-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/2516-199-0x0000000000F60000-0x0000000001263000-memory.dmp

Filesize
3.0MB

Download
memory/3060-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-198-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/3060-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download