e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8

General

Target

ABDETYBF.exe
Size

783KB
MD5

dd32fbe95047642376227127eaffe815
SHA1

8d2c3539b0307816c4e0d447cb5b577cb6e15c07
SHA256

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8
SHA512

97645a91ca1219a221ef60083adbbc07f4706030f5bc0669965fa3e53881c3422ae2aac0eb14d0dce7470ff7f06e2987d33bc7f1ee03aae93b34fa3ff81cdd49
SSDEEP

24576:yNA3R5drXP0lV4LIqzSVq1r+w/URexTF2+:L5OZzAr+0UExB1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Control Panel\International\Geo\Nation	ABDETYBF.exe

Executes dropped EXE 3 IoCs

pid	Process
1532	AhmetOdem.exe
3452	Ahmetoiuv.exe
1552	Ahmetoiuv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3452 set thread context of 1552	3452	Ahmetoiuv.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1136	1552	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	Ahmetoiuv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1532	3672	ABDETYBF.exe	83
PID 3672 wrote to memory of 1532	3672	ABDETYBF.exe	83
PID 3672 wrote to memory of 1532	3672	ABDETYBF.exe	83
PID 3672 wrote to memory of 3452	3672	ABDETYBF.exe	85
PID 3672 wrote to memory of 3452	3672	ABDETYBF.exe	85
PID 3672 wrote to memory of 3452	3672	ABDETYBF.exe	85
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86
PID 3452 wrote to memory of 1552	3452	Ahmetoiuv.exe	86

C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe
"C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
  "C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
  "C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    3⤵
    - Executes dropped EXE
    PID:1552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 80
      4⤵
      Program crash
      PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
memory/3452-23-0x00000000003D0000-0x0000000000422000-memory.dmp

Filesize
328KB

Download
memory/3452-24-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download
memory/3452-25-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3452-26-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/3452-29-0x0000000073020000-0x00000000737D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing