ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90

General

Target

ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe
Size

199KB
MD5

b7fbe9b2a328c358864449a9b6be127b
SHA1

0acf261163beac2ca22c57f70bf5ef574a419126
SHA256

ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90
SHA512

49099d425fe10ad6ba68833ae6a7145c8264cbb6f92def7f4a92d40082738c3f2f04610cbf6fb6271e4224abde03438b464d5f65b2ed7d1cca3a09e0121d8595
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOj:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	soohost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\soohost.exe	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe
File opened for modification	C:\Windows\Debug\soohost.exe	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	soohost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	soohost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2272	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe
Token: SeManageVolumePrivilege	1700	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4724	2272	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe	84
PID 2272 wrote to memory of 4724	2272	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe	84
PID 2272 wrote to memory of 4724	2272	ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe	84

C:\Users\Admin\AppData\Local\Temp\ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe
"C:\Users\Admin\AppData\Local\Temp\ec26486eef61090ca050d1e2e6e98cfe72b5471a07d8fa73dbc8f2cdce85ef90.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EC2648~1.EXE > nul
  2⤵
  PID:4724

C:\Windows\Debug\soohost.exe
C:\Windows\Debug\soohost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2004

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
5554f1e52608ec57b6d90b48e7daa35f

SHA1
74f2377d27e31ba53376675742bf989d84cae41a

SHA256
3991c89169a60709315ee3d38cc4b28270731dd26467228bbe76f435c4bf2235

SHA512
bb6de522c052b646142da919e43e99e83472347f9dcb8ed584d9ffe86330ad9550bdd9db6f1a668b6e11d2f5a72ed81ed1ee179129954ef749b71fa34505061b

Download Submit
C:\Windows\Debug\soohost.exe

Filesize
199KB

MD5
cddad63a1155ed359364280a72a3c4f9

SHA1
9a215d83a25659e972280b2646ac39a99efe530b

SHA256
98aa5037e7c4484c77b80ff267ea3cd41d121961e75bf2c0d0377d53bdce426b

SHA512
d38ce7801779c213dbb501901d40c866e1dbe39cf98f7667aae2f2600269b87011d22deb74c2ddb9b1a350bfa4cc150f1eca34c887ba1a2b6f1ea3ef22ce1bf2

Download Submit
C:\Windows\debug\soohost.exe

Filesize
199KB

MD5
cddad63a1155ed359364280a72a3c4f9

SHA1
9a215d83a25659e972280b2646ac39a99efe530b

SHA256
98aa5037e7c4484c77b80ff267ea3cd41d121961e75bf2c0d0377d53bdce426b

SHA512
d38ce7801779c213dbb501901d40c866e1dbe39cf98f7667aae2f2600269b87011d22deb74c2ddb9b1a350bfa4cc150f1eca34c887ba1a2b6f1ea3ef22ce1bf2

Download Submit
memory/1700-44-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-46-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-37-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-38-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-39-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-40-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-41-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-42-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-43-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-20-0x000001D119760000-0x000001D119770000-memory.dmp

Filesize
64KB

Download
memory/1700-45-0x000001D121D80000-0x000001D121D81000-memory.dmp

Filesize
4KB

Download
memory/1700-36-0x000001D121D50000-0x000001D121D51000-memory.dmp

Filesize
4KB

Download
memory/1700-47-0x000001D1219A0000-0x000001D1219A1000-memory.dmp

Filesize
4KB

Download
memory/1700-48-0x000001D121990000-0x000001D121991000-memory.dmp

Filesize
4KB

Download
memory/1700-50-0x000001D1219A0000-0x000001D1219A1000-memory.dmp

Filesize
4KB

Download
memory/1700-53-0x000001D121990000-0x000001D121991000-memory.dmp

Filesize
4KB

Download
memory/1700-56-0x000001D1218D0000-0x000001D1218D1000-memory.dmp

Filesize
4KB

Download
memory/1700-4-0x000001D119660000-0x000001D119670000-memory.dmp

Filesize
64KB

Download
memory/1700-68-0x000001D121AD0000-0x000001D121AD1000-memory.dmp

Filesize
4KB

Download
memory/1700-70-0x000001D121AE0000-0x000001D121AE1000-memory.dmp

Filesize
4KB

Download
memory/1700-71-0x000001D121AE0000-0x000001D121AE1000-memory.dmp

Filesize
4KB

Download
memory/1700-72-0x000001D121BF0000-0x000001D121BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads