0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6

General

Target

0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe
Size

16.0MB
MD5

655b4dd9046697ce92585701e9509c37
SHA1

ad7ff2514521f9ab705539585777635d5b964937
SHA256

0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6
SHA512

8d7126eb5df32290104923be9f52b7f7f402494c65e967d41b4bff74fe691341229e49b47f269856a86c4a5b64fe260fde9389d942733204353f1a540a41a5ad
SSDEEP

196608:hkHxcNCLawAuO9yGLKDogM2pzhGDYdkfnbehR+wYaATmypTeolqFVVX+UwzROQIC:2cYZ5G2bM2pzITfnbCQ5HoVCRLKu317

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe

Executes dropped EXE 3 IoCs

pid	Process
1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1820	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe
4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe
1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1820	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
1820	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 1400	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	95
PID 4120 wrote to memory of 1400	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	95
PID 4120 wrote to memory of 1400	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	95
PID 4120 wrote to memory of 1896	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	96
PID 4120 wrote to memory of 1896	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	96
PID 4120 wrote to memory of 1896	4120	0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe	96
PID 1400 wrote to memory of 3696	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	97
PID 1400 wrote to memory of 3696	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	97
PID 1400 wrote to memory of 3696	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	97
PID 1400 wrote to memory of 4296	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	98
PID 1400 wrote to memory of 4296	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	98
PID 1400 wrote to memory of 4296	1400	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	98
PID 3696 wrote to memory of 1820	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	99
PID 3696 wrote to memory of 1820	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	99
PID 3696 wrote to memory of 1820	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	99
PID 3696 wrote to memory of 404	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	100
PID 3696 wrote to memory of 404	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	100
PID 3696 wrote to memory of 404	3696	ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe	100

C:\Users\Admin\AppData\Local\Temp\0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe
"C:\Users\Admin\AppData\Local\Temp\0739a5208881eaaa31ee83a35201f3a4d624c4a2b457c343511f404cf4c79fb6.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
  "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
    "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe
      "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
      4⤵
      PID:404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
    3⤵
    PID:4296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
c2a82dc56af2c1319c25e92e88a22bfe

SHA1
c793fa6726189664bc6c33cbbb69c3d65694e145

SHA256
ea12de92e0fc8a1e519bb8f5c5597c4475e37ba5d90aa89e9ecc812b42d1e8b5

SHA512
98a567cf0b457b8db99cd99867b0817a9ece554798283dda7595dff4b78106bb97a5eef26656c6ce8a42d00180412870a5b41deeffa8bb310af33f62902158f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
230B

MD5
151b71b54d34e4f2b0b69d83adb0d735

SHA1
5f01862b18c2eb52696bd4ff4625f1c1a3e9cf34

SHA256
cd725db722b7323b3f92ed1f63904d768f965142d17d966c828d0eb246e72730

SHA512
590191f90893efe5d188e52567b3b9d5efc0fdd289e099c52685354b01bf8122201b34f0a48dbf33b9b5fef3cacad6e142f9a0952a2e4a452755eae59cd563b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
16.0MB

MD5
5bd44d2202e34e2bbee2088c63a7a6ff

SHA1
bf9330fdec7097bbf273e1614b771ebb54437989

SHA256
66641f8b2d1a08c0aa028fbff8a99f584764a53061c0589e5ea56ab344405577

SHA512
b3220e01238ada28645721aadfb4db9aa02a9bcdb4493a9a86708a7d20405ce0e79bf3e7bca43ab6edd0d6f0d7e20023773088d10ee3876b1a37e5b7c291bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
16.0MB

MD5
5bd44d2202e34e2bbee2088c63a7a6ff

SHA1
bf9330fdec7097bbf273e1614b771ebb54437989

SHA256
66641f8b2d1a08c0aa028fbff8a99f584764a53061c0589e5ea56ab344405577

SHA512
b3220e01238ada28645721aadfb4db9aa02a9bcdb4493a9a86708a7d20405ce0e79bf3e7bca43ab6edd0d6f0d7e20023773088d10ee3876b1a37e5b7c291bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿³ÌÐò_ÔÆ¸üÐÂss42.exe

Filesize
16.0MB

MD5
5bd44d2202e34e2bbee2088c63a7a6ff

SHA1
bf9330fdec7097bbf273e1614b771ebb54437989

SHA256
66641f8b2d1a08c0aa028fbff8a99f584764a53061c0589e5ea56ab344405577

SHA512
b3220e01238ada28645721aadfb4db9aa02a9bcdb4493a9a86708a7d20405ce0e79bf3e7bca43ab6edd0d6f0d7e20023773088d10ee3876b1a37e5b7c291bff9

Download Submit
memory/1400-9-0x0000000000400000-0x0000000002311000-memory.dmp

Filesize
31.1MB

Download
memory/1820-22-0x0000000000400000-0x0000000002311000-memory.dmp

Filesize
31.1MB

Download
memory/3696-18-0x0000000000400000-0x0000000002311000-memory.dmp

Filesize
31.1MB

Download
memory/4120-0-0x0000000000400000-0x0000000002309000-memory.dmp

Filesize
31.0MB

Download

Analysis

Sharing