3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

General

Target

14eed63dd3f3814eb8640b7437dcea62.exe
Size

104KB
MD5

14eed63dd3f3814eb8640b7437dcea62
SHA1

a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5
SHA256

3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2
SHA512

6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f
SSDEEP

3072:Yp/uy6Ogx6bsBnKZ2kNVmJQuahzata9DP:Yp/MOgx6sBnSlmJQhhOt

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	14eed63dd3f3814eb8640b7437dcea62.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	14eed63dd3f3814eb8640b7437dcea62.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
428	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	14eed63dd3f3814eb8640b7437dcea62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe
Token: 33	428	Payload.exe
Token: SeIncBasePriorityPrivilege	428	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 428	2920	14eed63dd3f3814eb8640b7437dcea62.exe	96
PID 2920 wrote to memory of 428	2920	14eed63dd3f3814eb8640b7437dcea62.exe	96
PID 2920 wrote to memory of 428	2920	14eed63dd3f3814eb8640b7437dcea62.exe	96
PID 2920 wrote to memory of 4184	2920	14eed63dd3f3814eb8640b7437dcea62.exe	97
PID 2920 wrote to memory of 4184	2920	14eed63dd3f3814eb8640b7437dcea62.exe	97
PID 2920 wrote to memory of 4184	2920	14eed63dd3f3814eb8640b7437dcea62.exe	97

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\14eed63dd3f3814eb8640b7437dcea62.exe
"C:\Users\Admin\AppData\Local\Temp\14eed63dd3f3814eb8640b7437dcea62.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Views/modifies file attributes
  PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
ba26fc27031a43b150d87c22d831460c

SHA1
7e78250b2ebb2e0ff7117dad03c26c511a3b8d44

SHA256
d20f342693260bcb51aeabf7cd5c4994e0ebf88847ca83b36a2ef191447fa5d8

SHA512
038d7e25dcfa917dfc580b1a07995e4ad3a6eed75ff6cd5d7d8bae97760e69aad39bf0522f6f5b30b022c9c86d8df1ef7257939e092edd02adf6f077c3142fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
0ebe6330bc59fdcfa221283ee4139717

SHA1
e391997341a119bccce5092160ece3cca6b03aea

SHA256
a31bddc9d3df1506d154ddd6e1608a5b7cb9f8eb64c84c0140bc19a75d273d04

SHA512
5908d2ee1d6e204245334abf0c9aedbbccc25feccf5a38c8355e960d36fd24c8815fa18abc2cd5eccf0e3cbc664253b23993780a967a9d72c433775bad98ab38

Download Submit
memory/428-156-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/428-157-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/428-159-0x0000000006110000-0x00000000061A2000-memory.dmp

Filesize
584KB

Download
memory/428-160-0x00000000060E0000-0x00000000060EA000-memory.dmp

Filesize
40KB

Download
memory/2920-139-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2920-138-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/2920-137-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2920-134-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/2920-133-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads