8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518

General

Target

8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
Size

4.1MB
MD5

0139e92182e83346235dd351b31c6df0
SHA1

ee296a17f97f83c3f2e54ffb146d2151aba4393e
SHA256

8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518
SHA512

85f40c0171b0c913dcd8fd28829d962891f177152e361af3d9c867b87b91d9ba0ff2fea6b6d66383cf598b02d2c9e69cdb1b46824d3e16466f552a7ee0b9612c
SSDEEP

98304:rd70YMplG4Md+/+Ko0r+oESwpk9hiBRvG9Vq5IX8:BMH00rESrOBRO9V

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	4948.exe

Executes dropped EXE 1 IoCs

pid	Process
4376	4948.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2784-0-0x0000000000400000-0x000000000081E000-memory.dmp	upx
behavioral2/files/0x0007000000023246-7.dat	upx
behavioral2/files/0x0007000000023246-15.dat	upx
behavioral2/files/0x0007000000023246-16.dat	upx
behavioral2/memory/2784-22-0x0000000000400000-0x000000000081E000-memory.dmp	upx
behavioral2/memory/4376-32-0x0000000000400000-0x000000000081E000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\delSexe.vbs	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
File opened for modification	C:\Windows\SysWOW64\delSexe.vbs	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
File created	C:\Windows\SysWOW64\delMexe.vbs	4948.exe
File opened for modification	C:\Windows\SysWOW64\delMexe.vbs	4948.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1100	SCHTASKS.exe
1700	SCHTASKS.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k114914"	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k114914"	4948.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	4948.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
4376	4948.exe
4376	4948.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1100	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	83
PID 2784 wrote to memory of 1100	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	83
PID 2784 wrote to memory of 1100	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	83
PID 2784 wrote to memory of 4376	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	86
PID 2784 wrote to memory of 4376	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	86
PID 2784 wrote to memory of 4376	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	86
PID 4376 wrote to memory of 1700	4376	4948.exe	87
PID 4376 wrote to memory of 1700	4376	4948.exe	87
PID 4376 wrote to memory of 1700	4376	4948.exe	87
PID 2784 wrote to memory of 3968	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	89
PID 2784 wrote to memory of 3968	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	89
PID 2784 wrote to memory of 3968	2784	8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe	89
PID 4376 wrote to memory of 776	4376	4948.exe	95
PID 4376 wrote to memory of 776	4376	4948.exe	95
PID 4376 wrote to memory of 776	4376	4948.exe	95

C:\Users\Admin\AppData\Local\Temp\8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe
"C:\Users\Admin\AppData\Local\Temp\8cf4f02e98635cdb8c54ca66a42e22b65be873b5b71376180077698e198ba518.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /TN 360ABC /SC MINUTE /F /MO 180 /TR C:\system.vbs
  2⤵
  - Creates scheduled task(s)
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\4948.exe
  "C:\Users\Admin\AppData\Local\Temp\4948.exe" yes
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /CREATE /TN 360ABC /SC MINUTE /F /MO 180 /TR C:\system.vbs
    3⤵
    - Creates scheduled task(s)
    PID:1700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\System32\delMexe.vbs"
    3⤵
    PID:776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\delSexe.vbs"
  2⤵
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4948.exe

Filesize
4.1MB

MD5
d0b477370c3d537338dec08dd780a74b

SHA1
53d036bcd7fa6be1caba6f434d91c17062396be4

SHA256
c86e9f21bdc06eea248c3775e6d24b2068689efc95ba33b4e2cc4a8a07f6da64

SHA512
5979d0bf7f31aab5b32d85abda29ccb4cf48d364dd81e013cbe1649aee4b28b54baca1575db69a3ee995902031f3d87969e4da9abf13a150dfadd9e232b43e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4948.exe

Filesize
4.1MB

MD5
d0b477370c3d537338dec08dd780a74b

SHA1
53d036bcd7fa6be1caba6f434d91c17062396be4

SHA256
c86e9f21bdc06eea248c3775e6d24b2068689efc95ba33b4e2cc4a8a07f6da64

SHA512
5979d0bf7f31aab5b32d85abda29ccb4cf48d364dd81e013cbe1649aee4b28b54baca1575db69a3ee995902031f3d87969e4da9abf13a150dfadd9e232b43e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4948.exe

Filesize
4.1MB

MD5
d0b477370c3d537338dec08dd780a74b

SHA1
53d036bcd7fa6be1caba6f434d91c17062396be4

SHA256
c86e9f21bdc06eea248c3775e6d24b2068689efc95ba33b4e2cc4a8a07f6da64

SHA512
5979d0bf7f31aab5b32d85abda29ccb4cf48d364dd81e013cbe1649aee4b28b54baca1575db69a3ee995902031f3d87969e4da9abf13a150dfadd9e232b43e5b

Download Submit
C:\Windows\SysWOW64\delMexe.vbs

Filesize
328B

MD5
b612d9ff8c4f02aac361c4e0c50f45e7

SHA1
9f6d9589ed19f6e4d8dccc1b63360bd4c9968286

SHA256
3d94c4efaf027b732369de813197a6bc9a1ac81b1caa8879bcd2c9d079159730

SHA512
d951a7f309b9581700a2051ec225918f314fd8d84a79b53ab3067394726ec50bd1190bafbff70e10a145a454504e8809e2a15914b1cb89b61cfb86ca5b5693a8

Download Submit
C:\Windows\SysWOW64\delMexe.vbs

Filesize
328B

MD5
b612d9ff8c4f02aac361c4e0c50f45e7

SHA1
9f6d9589ed19f6e4d8dccc1b63360bd4c9968286

SHA256
3d94c4efaf027b732369de813197a6bc9a1ac81b1caa8879bcd2c9d079159730

SHA512
d951a7f309b9581700a2051ec225918f314fd8d84a79b53ab3067394726ec50bd1190bafbff70e10a145a454504e8809e2a15914b1cb89b61cfb86ca5b5693a8

Download Submit
C:\Windows\SysWOW64\delSexe.vbs

Filesize
448B

MD5
58dabf795015cf337085fc5461e44d7c

SHA1
c9efb92200e928f735017e502e16666e9fb5e1db

SHA256
3eb8cc64df9fe0f028d8a518f148afe24d0df69b7a9e7387468ab41e0dd935f1

SHA512
eaf8168eca8a5e78e31981e12df9882a3f61ae74f550d1f02a9e0153863368c99bfa3e8c600fdc9a4be8247ff9270271aef9a61386d0105017bf7d7f3637992b

Download Submit
C:\Windows\SysWOW64\delSexe.vbs

Filesize
448B

MD5
58dabf795015cf337085fc5461e44d7c

SHA1
c9efb92200e928f735017e502e16666e9fb5e1db

SHA256
3eb8cc64df9fe0f028d8a518f148afe24d0df69b7a9e7387468ab41e0dd935f1

SHA512
eaf8168eca8a5e78e31981e12df9882a3f61ae74f550d1f02a9e0153863368c99bfa3e8c600fdc9a4be8247ff9270271aef9a61386d0105017bf7d7f3637992b

Download Submit
C:\system.vbs

Filesize
2KB

MD5
b07e3e94fa5e559f50975cc18c4e7cb0

SHA1
5e6e86646512d032e055a817f95108f70b2d3cfd

SHA256
14b442e0eced74a4f17998ca3c9e6ea621def62b9aa1b94bf9669506fe88572d

SHA512
2f0fd60c9f35fd4111ac0d4e76edf803d41298c96a562762a6e300fab4797bfe430a38b877d490eb32e6de7a3c40b00f830038dc6598a00fe299c64a07bc83ae

Download Submit
memory/2784-0-0x0000000000400000-0x000000000081E000-memory.dmp

Filesize
4.1MB

Download
memory/2784-22-0x0000000000400000-0x000000000081E000-memory.dmp

Filesize
4.1MB

Download
memory/4376-32-0x0000000000400000-0x000000000081E000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads