3bd221e945c0da67960f21c8bec0d678ff84f10dcf3b5866ed57a1ced810cbd9

General

Target

10e82b6ad59c2ab5f97f96e60.exe
Size

2.2MB
MD5

10e82b6ad59c2ab5f97f96e6060bb12e
SHA1

9491bd29357513c63d703ac9d99dcf25251d7cd7
SHA256

3bd221e945c0da67960f21c8bec0d678ff84f10dcf3b5866ed57a1ced810cbd9
SHA512

382fcf2a97391d739d1543ded334f48a2e1f32471649a1837aa7a6902b6126fbd40178371681bbfdf7d1f6b46af10ec91f96cb6a9ed598e87617dd9574a64d8f
SSDEEP

49152:vBuZrEUiWqJZU2zF35Me89k6YQoWH6hBJLJZ2iZ3vxm3c7ldhA:ZkLiWqJZU4F3XEYVbXvm3chA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	10e82b6ad59c2ab5f97f96e60.tmp

Executes dropped EXE 2 IoCs

pid	Process
4304	10e82b6ad59c2ab5f97f96e60.tmp
100	Output2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	100	WerFault.exe	87

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	10e82b6ad59c2ab5f97f96e60.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4304	10e82b6ad59c2ab5f97f96e60.tmp
4304	10e82b6ad59c2ab5f97f96e60.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4304	10e82b6ad59c2ab5f97f96e60.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4304	5056	10e82b6ad59c2ab5f97f96e60.exe	85
PID 5056 wrote to memory of 4304	5056	10e82b6ad59c2ab5f97f96e60.exe	85
PID 5056 wrote to memory of 4304	5056	10e82b6ad59c2ab5f97f96e60.exe	85
PID 4304 wrote to memory of 4316	4304	10e82b6ad59c2ab5f97f96e60.tmp	86
PID 4304 wrote to memory of 4316	4304	10e82b6ad59c2ab5f97f96e60.tmp	86
PID 4304 wrote to memory of 4316	4304	10e82b6ad59c2ab5f97f96e60.tmp	86
PID 4304 wrote to memory of 100	4304	10e82b6ad59c2ab5f97f96e60.tmp	87
PID 4304 wrote to memory of 100	4304	10e82b6ad59c2ab5f97f96e60.tmp	87
PID 4304 wrote to memory of 100	4304	10e82b6ad59c2ab5f97f96e60.tmp	87

C:\Users\Admin\AppData\Local\Temp\10e82b6ad59c2ab5f97f96e60.exe
"C:\Users\Admin\AppData\Local\Temp\10e82b6ad59c2ab5f97f96e60.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\is-RPKHD.tmp\10e82b6ad59c2ab5f97f96e60.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RPKHD.tmp\10e82b6ad59c2ab5f97f96e60.tmp" /SL5="$901E2,1396243,844288,C:\Users\Admin\AppData\Local\Temp\10e82b6ad59c2ab5f97f96e60.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\system\Noda.vbs"
    3⤵
    PID:4316
- - C:\Users\Admin\AppData\Roaming\system\Output2.exe
    "C:\Users\Admin\AppData\Roaming\system\Output2.exe"
    3⤵
    - Executes dropped EXE
    PID:100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 528
      4⤵
      Program crash
      PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 100 -ip 100
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-RPKHD.tmp\10e82b6ad59c2ab5f97f96e60.tmp

Filesize
3.0MB

MD5
b1207c842ab6b5390891938206817e0c

SHA1
547bd5dbd6f53c2ac4c8bf03429f94c862fdf44d

SHA256
99d0b2ad783e314ffdcc076d82d94a8089908f75269213e0843431493f683c2c

SHA512
a15db64395ea2750714969c0f0b226c3bf1a469335ca42180d8129b8965bd0991e63fd84d26d0d2ce60078dd04b521896ef3bc9471cadc268a0a88938cd1641d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RPKHD.tmp\10e82b6ad59c2ab5f97f96e60.tmp

Filesize
3.0MB

MD5
b1207c842ab6b5390891938206817e0c

SHA1
547bd5dbd6f53c2ac4c8bf03429f94c862fdf44d

SHA256
99d0b2ad783e314ffdcc076d82d94a8089908f75269213e0843431493f683c2c

SHA512
a15db64395ea2750714969c0f0b226c3bf1a469335ca42180d8129b8965bd0991e63fd84d26d0d2ce60078dd04b521896ef3bc9471cadc268a0a88938cd1641d

Download Submit
C:\Users\Admin\AppData\Roaming\system\Noda.vbs

Filesize
213B

MD5
6d80bce38c8b0406bf1a519ffd612409

SHA1
905f273dd6dafa1464320ca573fde71af63ea111

SHA256
15c12c22b9745264f4c153b77ff16842684d1d2f982995acf77911e62d45d71c

SHA512
f6ea41b1105d1cbcebd26e681062b21b8a2445879a0cb0b6736b59625a1efe9b4bf75ee1eb94373a313753edc08805bfd05de1adaa8a986e867b90f06ab4ad6c

Download Submit
C:\Users\Admin\AppData\Roaming\system\Output2.exe

Filesize
1.2MB

MD5
66bc6cee7921f7f9990460ff646ac8ea

SHA1
de7c05abb8c403dc5744eb54038f3ffb61808366

SHA256
e970d831fb13bf2ba24bf0e1767457f757ed29e1da89ec13d0a759e2f82ec0c7

SHA512
a4f4049e31629e0347e1f436ebb8789cf0aa64374aafc451166197ae8fa6ca2effc5a311cb2311e2b32bf45e672d3ca7bb103b10000466a0b31109e457f4d70e

Download Submit
C:\Users\Admin\AppData\Roaming\system\Output2.exe

Filesize
1.2MB

MD5
66bc6cee7921f7f9990460ff646ac8ea

SHA1
de7c05abb8c403dc5744eb54038f3ffb61808366

SHA256
e970d831fb13bf2ba24bf0e1767457f757ed29e1da89ec13d0a759e2f82ec0c7

SHA512
a4f4049e31629e0347e1f436ebb8789cf0aa64374aafc451166197ae8fa6ca2effc5a311cb2311e2b32bf45e672d3ca7bb103b10000466a0b31109e457f4d70e

Download Submit
C:\Users\Admin\AppData\Roaming\system\Output2.exe

Filesize
1.2MB

MD5
66bc6cee7921f7f9990460ff646ac8ea

SHA1
de7c05abb8c403dc5744eb54038f3ffb61808366

SHA256
e970d831fb13bf2ba24bf0e1767457f757ed29e1da89ec13d0a759e2f82ec0c7

SHA512
a4f4049e31629e0347e1f436ebb8789cf0aa64374aafc451166197ae8fa6ca2effc5a311cb2311e2b32bf45e672d3ca7bb103b10000466a0b31109e457f4d70e

Download Submit
memory/100-162-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/100-163-0x0000000002A30000-0x0000000002E63000-memory.dmp

Filesize
4.2MB

Download
memory/4304-138-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/4304-159-0x0000000000400000-0x0000000000717000-memory.dmp

Filesize
3.1MB

Download
memory/5056-133-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/5056-160-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing