1bb732330744dda9232ab0e291c9b5d5f8e76e9c649ed9e1e9f4327a0c7387dc

General

Target

REMK-4000844.exe
Size

349KB
MD5

f2ef364a14b6e3e07975c18755edb060
SHA1

333fba35617041fe3e8e2c3a848dee63b16f39ae
SHA256

1bb732330744dda9232ab0e291c9b5d5f8e76e9c649ed9e1e9f4327a0c7387dc
SHA512

9c7745f231d042ed4d3e29d684109bde88d6cf0343482cea48febe55bfda271b4eea4d8be76b84954735ced93de08f7dc934918a135d7a77185c4b304ba0c84f
SSDEEP

6144:LnPdudwDIgwJ1b/T+TY2j1AdqhAKKDCy1SFV+SSJvNxpSGbaKctu7hj:LnPdUzbbi8WrhALDBQV+SS1JrbcEt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\International\Geo\Nation	zhusl.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	zhusl.exe
2916	zhusl.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	REMK-4000844.exe
1588	zhusl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 2916	1588	zhusl.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe
2916	zhusl.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1588	zhusl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	zhusl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1588	2152	REMK-4000844.exe	29
PID 2152 wrote to memory of 1588	2152	REMK-4000844.exe	29
PID 2152 wrote to memory of 1588	2152	REMK-4000844.exe	29
PID 2152 wrote to memory of 1588	2152	REMK-4000844.exe	29
PID 1588 wrote to memory of 2916	1588	zhusl.exe	30
PID 1588 wrote to memory of 2916	1588	zhusl.exe	30
PID 1588 wrote to memory of 2916	1588	zhusl.exe	30
PID 1588 wrote to memory of 2916	1588	zhusl.exe	30
PID 1588 wrote to memory of 2916	1588	zhusl.exe	30

C:\Users\Admin\AppData\Local\Temp\REMK-4000844.exe
"C:\Users\Admin\AppData\Local\Temp\REMK-4000844.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\zhusl.exe
  "C:\Users\Admin\AppData\Local\Temp\zhusl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\zhusl.exe
    "C:\Users\Admin\AppData\Local\Temp\zhusl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gtvtzgc.rcd

Filesize
231KB

MD5
94ed6cb553fff793a425e7dec954968d

SHA1
22bbc8fd8554000ca5d04ddbc09753faf2a750ad

SHA256
3f7b88d383dde4de641037dbe79b4f4c08608bfe50157d89741159a1689415d7

SHA512
cb13e553041758bdc6d9e0f0dc07bcba2218f0e9ff7e0160898f726edc4e3681827d792afc78816028f83f9a6664496ec1d2dcb7c3adb329c2e2d0a558937424

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhusl.exe

Filesize
176KB

MD5
8cc00f0ac2430050ce22ec2d68d7efcb

SHA1
81182740646e5524b0acdcbe61fb61514ebac2f3

SHA256
5c6cab4df7eac12e2605578a45718fb9f1dfdfd771226d7979cd29a0b3d2a061

SHA512
40e2baab22f60ab26135fbbf0e668cb5ff7b21f5040fcebe1669d9ef322f7fcf1f5a794c24f2ea7eef0adcb436bd47845f9404d869c0d6a1d147d45fe57364bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhusl.exe

Filesize
176KB

MD5
8cc00f0ac2430050ce22ec2d68d7efcb

SHA1
81182740646e5524b0acdcbe61fb61514ebac2f3

SHA256
5c6cab4df7eac12e2605578a45718fb9f1dfdfd771226d7979cd29a0b3d2a061

SHA512
40e2baab22f60ab26135fbbf0e668cb5ff7b21f5040fcebe1669d9ef322f7fcf1f5a794c24f2ea7eef0adcb436bd47845f9404d869c0d6a1d147d45fe57364bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhusl.exe

Filesize
176KB

MD5
8cc00f0ac2430050ce22ec2d68d7efcb

SHA1
81182740646e5524b0acdcbe61fb61514ebac2f3

SHA256
5c6cab4df7eac12e2605578a45718fb9f1dfdfd771226d7979cd29a0b3d2a061

SHA512
40e2baab22f60ab26135fbbf0e668cb5ff7b21f5040fcebe1669d9ef322f7fcf1f5a794c24f2ea7eef0adcb436bd47845f9404d869c0d6a1d147d45fe57364bd

Download Submit
\Users\Admin\AppData\Local\Temp\zhusl.exe

Filesize
176KB

MD5
8cc00f0ac2430050ce22ec2d68d7efcb

SHA1
81182740646e5524b0acdcbe61fb61514ebac2f3

SHA256
5c6cab4df7eac12e2605578a45718fb9f1dfdfd771226d7979cd29a0b3d2a061

SHA512
40e2baab22f60ab26135fbbf0e668cb5ff7b21f5040fcebe1669d9ef322f7fcf1f5a794c24f2ea7eef0adcb436bd47845f9404d869c0d6a1d147d45fe57364bd

Download Submit
\Users\Admin\AppData\Local\Temp\zhusl.exe

Filesize
176KB

MD5
8cc00f0ac2430050ce22ec2d68d7efcb

SHA1
81182740646e5524b0acdcbe61fb61514ebac2f3

SHA256
5c6cab4df7eac12e2605578a45718fb9f1dfdfd771226d7979cd29a0b3d2a061

SHA512
40e2baab22f60ab26135fbbf0e668cb5ff7b21f5040fcebe1669d9ef322f7fcf1f5a794c24f2ea7eef0adcb436bd47845f9404d869c0d6a1d147d45fe57364bd

Download Submit
memory/1588-6-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2916-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-13-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/2916-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing