392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3

General

Target

392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
Size

1.5MB
MD5

56f5fc19dcac0ad3e025a1a70de8a134
SHA1

9074a465e9ecaea11e424169e73708618cdfc651
SHA256

392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3
SHA512

3dfc8369ae513affdf0c371340022183e360432b5de1e38a5904bc552e19e175e90c8861b45f9ba799d17ad31439dcd51fa0705dff892c74c617519ff2765e9a
SSDEEP

24576:NWFf9wwXe8UBH9iT6hbuZ3SuLCxfu4eyEMrOLabNZ5muy5Az6U4hfM1wWqJG3J:NQf9wwXe8eqLqflEM2ywC+U4hwuS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Executes dropped EXE 1 IoCs

pid	Process
1892	µãÎ»Æ÷1.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
1892	µãÎ»Æ÷1.2.exe
1892	µãÎ»Æ÷1.2.exe
1892	µãÎ»Æ÷1.2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2612	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	96
PID 4736 wrote to memory of 2612	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	96
PID 4736 wrote to memory of 2612	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	96
PID 4736 wrote to memory of 1892	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	100
PID 4736 wrote to memory of 1892	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	100
PID 4736 wrote to memory of 1892	4736	392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe	100

C:\Users\Admin\AppData\Local\Temp\392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe
"C:\Users\Admin\AppData\Local\Temp\392ba9e4a216b0e687846948bcee727914ae2a91580d0ed7d9b6ab749b3418d3.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\1696731759.zip
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
1KB

MD5
1ba04bdcb661cdd399f94c62e5bf9a48

SHA1
20ab80de61825c1004cb22d77a5dceb360d4516f

SHA256
baa71234d197059baa966cdcba90540128f408e7e65d9f3eb5efabb037360c0b

SHA512
41b208d79eebd14fcd0fc1a7489b2782569668606f3bb2114fda07cbbe1730fdf73131f734cf6ab8d56b697eb396579696d563f948a2cd5aae2b62657b99aca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_287BE23B7EA864C953D17EFAF5804874

Filesize
1KB

MD5
5a8d9f61219d909ccd7dfd4e96b3972d

SHA1
cf4330b47c5e69cac8114323fc36e50991be90c2

SHA256
1587238ec70b8b737480e75811a0036abb04fc9340531ad8558f4d884697b35d

SHA512
5a81de82247749c8ee715d5b1064ec0329f4fed088d2832ff143ea318ca012c19f55e208dc45f7829bf716013336a5baa9d4afdc495e8d2afdc8e1ddfd162632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
516B

MD5
abd24b982bd7f572c1814740aaf07910

SHA1
e6dacf20eb8d2b0e7f9131c33027b2d7ab6b20c6

SHA256
ba1ed3f0d9da37962de53d10c96d88e9a4669307744363c1b97a8a0ae65a1edd

SHA512
f05162d462bbfe9856263ed7715c9f82629ea09666a8959cec25659b53d4811d3584f74ac696d9c4f72ca990aadf87f9b22c624e79e9449d9bdad043465be9d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_287BE23B7EA864C953D17EFAF5804874

Filesize
528B

MD5
ff5b5a77d17808b152c24bafd20cde5f

SHA1
e9fed5ae8fb6fe8af41c0ca9b4842a2e747ffa99

SHA256
a4a6f0fb02ad28a62eef7e1bf6cca6789631330fe137e17300ac32cde908fd22

SHA512
c96986f59427dd038947d1e291841215eba66f275e350c2aebcbc81e95e820cbd6075e02a2e67d25ccf5c2ca10ff7bb9410e695ebde5e8401c1564b3e6227df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\µãÎ»Æ÷1.2.exe

Filesize
1.6MB

MD5
be9bd1c43152424a69d5c0c1e0cda09f

SHA1
99044ab3b6d45a9d4d3166a2948e2584e27c1ed8

SHA256
5234385c361f337f229be8209e6f42d7622ab229687b79b24019ed16d39372ac

SHA512
7e8f0274ccbf26f1813afe55a26fdae48fe9f3e239fb0b80e706aef393fa05da9c540d9b40cf1d30002a53015f55dcaaedeb2314e5ed94ea81dcc47a2cda97fc

Download Submit
memory/1892-21-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4736-0-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing