3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454

General

Target

3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe
Size

15.7MB
MD5

a31877a7528103a17b99cd962f58d6c9
SHA1

a367a91e7fe2efa095d4f6c98ff9f9935bad64da
SHA256

3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454
SHA512

9b7feb169371346c0db1dc51e692a295fff5a02b1f3e4d55afd52cb158d5e843957d6af2752475a2221f553d814b60ea06f6b7066d6428e2653b74386bdb2057
SSDEEP

393216:k3gAJ3m8cM6HmMbtd0R994bWS6ntwD0y3klXW8qYKLRs6:rAo8imMbtd0TpFqh0lXdqYKLRs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe

Executes dropped EXE 1 IoCs

pid	Process
3544	O5J6C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe
3544	O5J6C.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3544	O5J6C.exe
3544	O5J6C.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4792	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe
4792	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe
3544	O5J6C.exe
3544	O5J6C.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3544	4792	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe	82
PID 4792 wrote to memory of 3544	4792	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe	82
PID 4792 wrote to memory of 3544	4792	3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe	82

C:\Users\Admin\AppData\Local\Temp\3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe
"C:\Users\Admin\AppData\Local\Temp\3c52b8d7e0ac20f51235836a1511f2306c412fb00e3d9d186a30bd536a92e454.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\O5J6C.exe
  "C:\Users\Admin\AppData\Local\Temp\O5J6C.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\O5J6C.exe

Filesize
14.2MB

MD5
2f586f48655bfed95c0d200053aaa7be

SHA1
e664e0e3cc9c5d382811756106725931aed4943d

SHA256
4e261b6830a18b7f1dbd2b4dffadf5fd3b3bc9ef002f3f84fae368b567c13abd

SHA512
0b541bc1669537e166c4b8d2204ee2728ad3b3bd5275c748459344f0b3a2c423060af241cc9db7e603cacf27c0119650c7cf3384db063e1ca38498f5c988d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\O5J6C.exe

Filesize
14.2MB

MD5
2f586f48655bfed95c0d200053aaa7be

SHA1
e664e0e3cc9c5d382811756106725931aed4943d

SHA256
4e261b6830a18b7f1dbd2b4dffadf5fd3b3bc9ef002f3f84fae368b567c13abd

SHA512
0b541bc1669537e166c4b8d2204ee2728ad3b3bd5275c748459344f0b3a2c423060af241cc9db7e603cacf27c0119650c7cf3384db063e1ca38498f5c988d43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\O5J6C.exe

Filesize
14.2MB

MD5
2f586f48655bfed95c0d200053aaa7be

SHA1
e664e0e3cc9c5d382811756106725931aed4943d

SHA256
4e261b6830a18b7f1dbd2b4dffadf5fd3b3bc9ef002f3f84fae368b567c13abd

SHA512
0b541bc1669537e166c4b8d2204ee2728ad3b3bd5275c748459344f0b3a2c423060af241cc9db7e603cacf27c0119650c7cf3384db063e1ca38498f5c988d43c

Download Submit
memory/3544-11-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3544-13-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/3544-12-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3544-14-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/3544-15-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/3544-10-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-9-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3544-16-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-17-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-19-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-20-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-21-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-22-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-23-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-24-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-25-0x0000000000400000-0x0000000001244000-memory.dmp

Filesize
14.3MB

Download
memory/3544-26-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-27-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-28-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-29-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-30-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-31-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-33-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-32-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-34-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3544-35-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3544-36-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3544-37-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3544-38-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3544-39-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing