781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434

General

Target

781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe
Size

606KB
MD5

c7b28f5f9fb6780fc0976a8383696818
SHA1

af6654f093fe2af97b024dfe8067e0aa8dc93816
SHA256

781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434
SHA512

955e32a0171de8c527906559af067a4b5c25fc6a91ffcb9b1c57f934c82b7ab31885c6b82cf1610c8497b8350523a2316c12fcb8e6a68eb984a6684d4a15a841
SSDEEP

12288:NcrNS33L10QdrXjNfmDnDnCXgUcYfOfAFczhTjHsHLzuhV2Rj+TF:wNA3R5drXwDDuhcY7c9TSuhE4F

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	esdvsdf.sfx.exe

Executes dropped EXE 3 IoCs

pid	Process
3908	esdvsdf.sfx.exe
5060	esdvsdf.exe
1488	esdvsdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 1488	5060	esdvsdf.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	1488	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	esdvsdf.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2144	2660	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	84
PID 2660 wrote to memory of 2144	2660	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	84
PID 2660 wrote to memory of 2144	2660	781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe	84
PID 2144 wrote to memory of 3908	2144	cmd.exe	87
PID 2144 wrote to memory of 3908	2144	cmd.exe	87
PID 2144 wrote to memory of 3908	2144	cmd.exe	87
PID 3908 wrote to memory of 5060	3908	esdvsdf.sfx.exe	88
PID 3908 wrote to memory of 5060	3908	esdvsdf.sfx.exe	88
PID 3908 wrote to memory of 5060	3908	esdvsdf.sfx.exe	88
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91
PID 5060 wrote to memory of 1488	5060	esdvsdf.exe	91

C:\Users\Admin\AppData\Local\Temp\781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe
"C:\Users\Admin\AppData\Local\Temp\781cf97025896c0aef788b6844587ca2b94602d68e50efea2abac50bbd066434_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ameukfhn.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe
    esdvsdf.sfx.exe -pkymdkeopjszafugyRhvqxsHbcdhryujmsavmhjfjgBbsdirhndmkaloybdtyuiOlfgnme -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
      "C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
        
        C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe
        5⤵
        Executes dropped EXE
        
        PID:1488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 80
        6⤵
        Program crash
        
        PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ameukfhn.bat

Filesize
14KB

MD5
55b5c05715d4a022d64327a9ca38e7a1

SHA1
373c77f1fb11bea6a1698eae4e6399443c4a978e

SHA256
9d4ba2292025de84e89af24810cc542e091d3fed43c07962d30a2ad35675ee49

SHA512
e2cc7bcb690275b1a00ac27ea813b1f5e8809376fd42bd5954d122a29e955c31afd89955f929e999a1924cc682ccff62c5f459cb0c96f51d2abb59184a36f9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.exe

Filesize
133KB

MD5
3f279039d26af3a7a18a2cdd9a35b5a2

SHA1
53bfffe732dc5f170f38b2731dd4aba0564f4f14

SHA256
3d3260683eaa752648a2e72bbbf572bfcb3229d889f6da46ba25c2d82567b792

SHA512
03bf43818e9755876c8f461321afbdebc74008f3ac50b0de9ce505997fbd3f25fcce3dfa85cf195965e976378e749ab4a7ecea47e50e7d349ba8d16f6e09a070

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe

Filesize
444KB

MD5
1354e84b20a806a0a19ee056dc50f54b

SHA1
0b2ba75f398946efacbdaeb24ea9f69dccd95cbd

SHA256
b9e2318ccb966f02f3758d0cc2f0726ce997bf9677545385c438cb547c60fd5b

SHA512
3dd4250d51393ac7f6b00e7b3c423351b87edef22a75ee474405737d27368f80d154e7ac96b589b771e7f90b4f601eed51eccc4db10b94a3f84f721d41117365

Download Submit
C:\Users\Admin\AppData\Local\Temp\esdvsdf.sfx.exe

Filesize
444KB

MD5
1354e84b20a806a0a19ee056dc50f54b

SHA1
0b2ba75f398946efacbdaeb24ea9f69dccd95cbd

SHA256
b9e2318ccb966f02f3758d0cc2f0726ce997bf9677545385c438cb547c60fd5b

SHA512
3dd4250d51393ac7f6b00e7b3c423351b87edef22a75ee474405737d27368f80d154e7ac96b589b771e7f90b4f601eed51eccc4db10b94a3f84f721d41117365

Download Submit
memory/5060-22-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/5060-23-0x0000000000970000-0x0000000000996000-memory.dmp

Filesize
152KB

Download
memory/5060-24-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/5060-28-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing