2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898

General

Target

2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Size

4.7MB
MD5

612a0c79384cc3700330cc3923421c01
SHA1

cda933214d642a7b43ff1d7ab02951c07052c0ff
SHA256

2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898
SHA512

6e4821f6523e02387cdf337ceb3abbd402377e8593adffb8183d8c825cbce7a3e98e1fc3c7dc6658241d138df9c53b6efc4197cd5afec23023f6dcb50e047429
SSDEEP

49152:kzPXPwh11sXIAyT9tN93ns5SkP2lS1mdM03aT1Pa5///mPpGoIF:kvPs1sByTM5SQrWM03o1a5LoQ

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2984	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/484-0-0x0000000000980000-0x0000000000A17000-memory.dmp	upx
behavioral2/memory/484-29-0x0000000000980000-0x0000000000A17000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsShell48267.log	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate87.log	icacls.exe
File opened for modification	C:\Windows\WindowTerminalVaild22.log	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Token: SeDebugPrivilege	2984	icacls.exe
Token: SeIncBasePriorityPrivilege	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
Token: SeDebugPrivilege	2984	icacls.exe
Token: SeDebugPrivilege	2984	icacls.exe
Token: SeDebugPrivilege	2984	icacls.exe
Token: SeDebugPrivilege	2984	icacls.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 2984	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	84
PID 484 wrote to memory of 3764	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	89
PID 484 wrote to memory of 3764	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	89
PID 484 wrote to memory of 3764	484	2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe	89

C:\Users\Admin\AppData\Local\Temp\2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe
"C:\Users\Admin\AppData\Local\Temp\2dfd42c85474bea11d0c45dcd4f7e33501d857a544a3aadd48642e94e5049898.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\SysWOW64\icacls.exe"
  2⤵
  - Modifies file permissions
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2DFD42~1.EXE > nul
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowSystemNewUpdate87.log

Filesize
4KB

MD5
9161c2fb92f7ad912c190c976faf5941

SHA1
bc21978d8a1cc25972e961ea749c334696ed8f1d

SHA256
0477bd6b5057e749b68ba35311a9bd40694f56d70b4e849c037de669e756fa60

SHA512
d71df429ec610d8800530706f7912918a4b53942a8e569b0b286799eda42509cb6a5f5352fc3fd4da4ed9d5d1739b25722528e8084d146cb9d35dcf2aa6f20da

Download Submit
memory/484-29-0x0000000000980000-0x0000000000A17000-memory.dmp

Filesize
604KB

Download
memory/484-0-0x0000000000980000-0x0000000000A17000-memory.dmp

Filesize
604KB

Download
memory/2984-85-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-97-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-14-0x00000000009D0000-0x00000000009EB000-memory.dmp

Filesize
108KB

Download
memory/2984-6-0x00000000009D0000-0x00000000009EB000-memory.dmp

Filesize
108KB

Download
memory/2984-35-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-44-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-43-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-46-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-2-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2984-77-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-81-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-83-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-82-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-4-0x00000000009D0000-0x00000000009EB000-memory.dmp

Filesize
108KB

Download
memory/2984-8-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2984-88-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-49-0x00000000006C0000-0x00000000006F8000-memory.dmp

Filesize
224KB

Download
memory/2984-90-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-98-0x00000000046E0000-0x0000000004A89000-memory.dmp

Filesize
3.7MB

Download
memory/2984-105-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-109-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-110-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-112-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-114-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-113-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-116-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-118-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-119-0x0000000004E20000-0x00000000051A4000-memory.dmp

Filesize
3.5MB

Download
memory/2984-121-0x0000000002C30000-0x0000000002D29000-memory.dmp

Filesize
996KB

Download
memory/2984-144-0x0000000005BF0000-0x0000000005F73000-memory.dmp

Filesize
3.5MB

Download
memory/2984-146-0x0000000005BF0000-0x0000000005F73000-memory.dmp

Filesize
3.5MB

Download
memory/2984-155-0x0000000005BF0000-0x0000000005F73000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing