c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182

Analysis

max time kernel
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe
Size

1.1MB
MD5

83804c210ecdae26f284783ae9ed4cd0
SHA1

6f2d34c95b6d4313074ff8111ebbe27ab76fdb70
SHA256

c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182
SHA512

163f981bdd618ce00f85dd00aa31e04ce972f9004a1e26f65251fb044c4e371b34f4c6dc3de904e0c2e69e3b01b9916923fb904ab29e625476b65f83aaad0f0a
SSDEEP

24576:wTbBv5rUk0FHSdWGawARX8l45tHwoD9sfBnX7SWXMdAfRd//PA:iB3aydWZRX8l45tHwoDaRXPMUlA

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	RegSvcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
1880	rehir.bmp
824	RegSvcs.exe
992	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rehir.bmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\uabt\\rehir.bmp 0\\uabt\\fgbd.xml"	rehir.bmp

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 824	1880	rehir.bmp	91
PID 1880 set thread context of 992	1880	rehir.bmp	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2652	ipconfig.exe
1516	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	RegSvcs.exe
Token: SeDebugPrivilege	992	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4664	4164	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	80
PID 4164 wrote to memory of 4664	4164	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	80
PID 4164 wrote to memory of 4664	4164	c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe	80
PID 4664 wrote to memory of 4288	4664	wscript.exe	81
PID 4664 wrote to memory of 4288	4664	wscript.exe	81
PID 4664 wrote to memory of 4288	4664	wscript.exe	81
PID 4664 wrote to memory of 1636	4664	wscript.exe	83
PID 4664 wrote to memory of 1636	4664	wscript.exe	83
PID 4664 wrote to memory of 1636	4664	wscript.exe	83
PID 4288 wrote to memory of 2652	4288	cmd.exe	85
PID 4288 wrote to memory of 2652	4288	cmd.exe	85
PID 4288 wrote to memory of 2652	4288	cmd.exe	85
PID 1636 wrote to memory of 1880	1636	cmd.exe	86
PID 1636 wrote to memory of 1880	1636	cmd.exe	86
PID 1636 wrote to memory of 1880	1636	cmd.exe	86
PID 4664 wrote to memory of 568	4664	wscript.exe	87
PID 4664 wrote to memory of 568	4664	wscript.exe	87
PID 4664 wrote to memory of 568	4664	wscript.exe	87
PID 568 wrote to memory of 1516	568	cmd.exe	89
PID 568 wrote to memory of 1516	568	cmd.exe	89
PID 568 wrote to memory of 1516	568	cmd.exe	89
PID 1880 wrote to memory of 992	1880	rehir.bmp	90
PID 1880 wrote to memory of 992	1880	rehir.bmp	90
PID 1880 wrote to memory of 992	1880	rehir.bmp	90
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 824	1880	rehir.bmp	91
PID 1880 wrote to memory of 992	1880	rehir.bmp	90
PID 1880 wrote to memory of 992	1880	rehir.bmp	90

C:\Users\Admin\AppData\Local\Temp\c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe
"C:\Users\Admin\AppData\Local\Temp\c48c1d65bf3e58d5dc4b9876db6da4d90e93ca74b4b51cd35c7b7400d691c182.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" cjn.vbe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rehir.bmp fgbd.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp
      rehir.bmp fgbd.xml
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HMCIMV~1.NME

Filesize
365KB

MD5
818a00c426a585e001d6419bb89ec5be

SHA1
5b5eee5176671b94d89fbdcf27d15e94cba57384

SHA256
3b18e4ba7c2940ad5d2823fd3018ecffde16f90ba42adfe15f88f049981d43c4

SHA512
47a4bd661345eb27dfe186d6d63b464bd7ae7fafb83c45762196a5e8780171d6495436d6115437d7a399502c320226c44eee5d4391cf075c5ef45896b69d6cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cjn.vbe

Filesize
32KB

MD5
117a1a3967552259fb9d8a74bda44aa1

SHA1
ea3302d955d62d293012d0878c3bc72bfcafd1f2

SHA256
0d14bc164111e7e33c68219a5363296331d21df5d72be18fcd02687c5a535004

SHA512
dba9ef77d86e54df3e8555f4f18292386d0a306e7ceab0c64271107115a0be35d6827aed813a4b2a5c4a125cf70974444967d01816b15daff083ecc9ba76463c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dkcjnkkkv.pdf

Filesize
40KB

MD5
c0885afd0acfe90b243ce6ffb39c5e1f

SHA1
70a78552df1e677b1b8b40707d24cced5dc2507d

SHA256
5f4adf4f563a94ebed12afcc47583b0f8fac74b096e184b3eadc8a6f29e907b7

SHA512
e296efb8eeafce6a6dda44a309c535e5a5747ac7755643284ae30dd02cf5a24aa7c1f072c6791480b243f38822f611bf10ca66baa6bd27b2f32ffaaea256329c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fgbd.xml

Filesize
99.8MB

MD5
4363a4964923969173f474bbc64d1d36

SHA1
a689fadd583b2b768cf0de495db3003396f32791

SHA256
d8f5866180aee6bee958ec2c600a174c78929438271e7a1065a1a351fc724165

SHA512
04fe8985dd4a3b9d6c368b8dc5a921a53954d357038f4b7b66e62dd4d00885a2c6eb9905a1155c9724b99b08aea0352684179c4d85b1a904dcb29920dae7f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rehir.bmp

Filesize
904KB

MD5
70c3c7ddd6e67d2cef1c6bd67aac07ff

SHA1
b44d39719c9fcc4042f3975592e0a90ff9041b21

SHA256
b36028b56aa20a01e91a18f485895759cb1bf2c0e19af029c90bc3ec7fd25ea4

SHA512
e3b977d251ab54d97d41c198e26798150b4e35fe2744b3949da9b2c151ed29dc6d1883f441cb9fe6be9369420bcca16e1aefdc1b4fce4860630a4b8a51e520c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/824-267-0x0000000001780000-0x0000000001ACA000-memory.dmp

Filesize
3.3MB

Download
memory/824-265-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-263-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/992-266-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download
memory/992-268-0x00000000019B0000-0x0000000001CFA000-memory.dmp

Filesize
3.3MB

Download
memory/992-270-0x0000000000400000-0x0000000000ACD000-memory.dmp

Filesize
6.8MB

Download