34e5043867e982258aaa56f59d5f35abc7b53ca1293853465ca7974758ffbfe9

General

Target

PAYMENT COPY.exe
Size

517KB
MD5

07777ab79429d89e895fec96ff50b278
SHA1

5213f0cd557ba8f2ccb393ae2d97ca8d277195db
SHA256

4a63fd45dcc97cf19892173f6101ff932109f8e3c382db28ea077c63a65f203d
SHA512

dfa96457b683593147909eb03377fa9354a793243dc2facd82f19cd479f9ef57bdf644c0988ee8a169bba8591ad5daffeb3ff517c811285179765ba3eed6199a
SSDEEP

12288:WYePZVDtcv1rthwf4qxe4ChulTtvEHjTB2ZeauKH:WY0ZVZwSxPChSVEHZ5au8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\International\Geo\Nation	rojadledpv.exe

Executes dropped EXE 2 IoCs

pid	Process
624	rojadledpv.exe
2088	rojadledpv.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	PAYMENT COPY.exe
624	rojadledpv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 624 set thread context of 2088	624	rojadledpv.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe
2088	rojadledpv.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
624	rojadledpv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	rojadledpv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 624	2532	PAYMENT COPY.exe	28
PID 2532 wrote to memory of 624	2532	PAYMENT COPY.exe	28
PID 2532 wrote to memory of 624	2532	PAYMENT COPY.exe	28
PID 2532 wrote to memory of 624	2532	PAYMENT COPY.exe	28
PID 624 wrote to memory of 2088	624	rojadledpv.exe	29
PID 624 wrote to memory of 2088	624	rojadledpv.exe	29
PID 624 wrote to memory of 2088	624	rojadledpv.exe	29
PID 624 wrote to memory of 2088	624	rojadledpv.exe	29
PID 624 wrote to memory of 2088	624	rojadledpv.exe	29

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe
  "C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe
    "C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rkwvmjapgl.el

Filesize
220KB

MD5
6716e8f9d36a91096ed45332842d1707

SHA1
19b4bb0e18148713be481ec3c83bfa429231228a

SHA256
736f87ffc730e21071bb6806747cbba2d939190b4437b3639c00610f6cb88fb9

SHA512
df70612e1c4cb98f0d3db5cd40457cd6ad4e94554d504bda1d8da3960ad9ae042731dd20441fec69780b142d93fe2a6f3f766d1cc939fff04c7ec9a632b9fc85

Download Submit
C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe

Filesize
181KB

MD5
101b890591f29885e061a03c198c6a5b

SHA1
b137ea84a338ebb1c66ee5bf8c43f93c98358d47

SHA256
1d2bbd30dc122cca8e22dd97f5796f97eb96ec4d1299a15e07139151e7be95ee

SHA512
cc98cf85d5ab35ccbe3de7a78b7ed2a9d4f56f479b66bd5ef1d9243fef7282390537357fd36511ec50932f176a2ce9f41ec7dd465ef47a07b11b9de00345dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe

Filesize
181KB

MD5
101b890591f29885e061a03c198c6a5b

SHA1
b137ea84a338ebb1c66ee5bf8c43f93c98358d47

SHA256
1d2bbd30dc122cca8e22dd97f5796f97eb96ec4d1299a15e07139151e7be95ee

SHA512
cc98cf85d5ab35ccbe3de7a78b7ed2a9d4f56f479b66bd5ef1d9243fef7282390537357fd36511ec50932f176a2ce9f41ec7dd465ef47a07b11b9de00345dc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rojadledpv.exe

Filesize
181KB

MD5
101b890591f29885e061a03c198c6a5b

SHA1
b137ea84a338ebb1c66ee5bf8c43f93c98358d47

SHA256
1d2bbd30dc122cca8e22dd97f5796f97eb96ec4d1299a15e07139151e7be95ee

SHA512
cc98cf85d5ab35ccbe3de7a78b7ed2a9d4f56f479b66bd5ef1d9243fef7282390537357fd36511ec50932f176a2ce9f41ec7dd465ef47a07b11b9de00345dc8b

Download Submit
\Users\Admin\AppData\Local\Temp\rojadledpv.exe

Filesize
181KB

MD5
101b890591f29885e061a03c198c6a5b

SHA1
b137ea84a338ebb1c66ee5bf8c43f93c98358d47

SHA256
1d2bbd30dc122cca8e22dd97f5796f97eb96ec4d1299a15e07139151e7be95ee

SHA512
cc98cf85d5ab35ccbe3de7a78b7ed2a9d4f56f479b66bd5ef1d9243fef7282390537357fd36511ec50932f176a2ce9f41ec7dd465ef47a07b11b9de00345dc8b

Download Submit
\Users\Admin\AppData\Local\Temp\rojadledpv.exe

Filesize
181KB

MD5
101b890591f29885e061a03c198c6a5b

SHA1
b137ea84a338ebb1c66ee5bf8c43f93c98358d47

SHA256
1d2bbd30dc122cca8e22dd97f5796f97eb96ec4d1299a15e07139151e7be95ee

SHA512
cc98cf85d5ab35ccbe3de7a78b7ed2a9d4f56f479b66bd5ef1d9243fef7282390537357fd36511ec50932f176a2ce9f41ec7dd465ef47a07b11b9de00345dc8b

Download Submit
memory/624-6-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2088-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2088-13-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/2088-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing