9849e7217530267aa3ee1f84b0fbca828a72c296cd1db7c43fa8fe7f319b54eb

General

Target

P608297_2807_110411_jusificantes.PDF.exe
Size

360KB
MD5

d578bde56a9d1131efbf2629041960f5
SHA1

d7f0ba43a9c9b50db7efcd384646926841bb6c38
SHA256

9849e7217530267aa3ee1f84b0fbca828a72c296cd1db7c43fa8fe7f319b54eb
SHA512

a949ed9a409bdcf6926e78397bbd6b84cd7a54788a2da3b09f8aad00b6e728e4718e1821c34d008e02685e2895f303cc77506ae6966facc32b9bf70fc06bc41c
SSDEEP

6144:PYa6/Ja/LYizQFpati5GRoItggeyMI0AJ6OO/ATGL50kY8no/kzIEcHY2OZr:PYNaYicpG5X0Y6xAKL5vY8NcHm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	dewrxmbi.exe

Executes dropped EXE 2 IoCs

pid	Process
4484	dewrxmbi.exe
4344	dewrxmbi.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 4344	4484	dewrxmbi.exe	91
PID 4344 set thread context of 3188	4344	dewrxmbi.exe	44
PID 4344 set thread context of 568	4344	dewrxmbi.exe	97
PID 568 set thread context of 3188	568	help.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
4344	dewrxmbi.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe
568	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3188	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4484	dewrxmbi.exe
4344	dewrxmbi.exe
3188	Explorer.EXE
3188	Explorer.EXE
568	help.exe
568	help.exe
568	help.exe
568	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	dewrxmbi.exe
Token: SeDebugPrivilege	568	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4484	2808	P608297_2807_110411_jusificantes.PDF.exe	89
PID 2808 wrote to memory of 4484	2808	P608297_2807_110411_jusificantes.PDF.exe	89
PID 2808 wrote to memory of 4484	2808	P608297_2807_110411_jusificantes.PDF.exe	89
PID 4484 wrote to memory of 4344	4484	dewrxmbi.exe	91
PID 4484 wrote to memory of 4344	4484	dewrxmbi.exe	91
PID 4484 wrote to memory of 4344	4484	dewrxmbi.exe	91
PID 4484 wrote to memory of 4344	4484	dewrxmbi.exe	91
PID 3188 wrote to memory of 568	3188	Explorer.EXE	97
PID 3188 wrote to memory of 568	3188	Explorer.EXE	97
PID 3188 wrote to memory of 568	3188	Explorer.EXE	97
PID 568 wrote to memory of 4516	568	help.exe	102
PID 568 wrote to memory of 4516	568	help.exe	102
PID 568 wrote to memory of 4516	568	help.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\P608297_2807_110411_jusificantes.PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\P608297_2807_110411_jusificantes.PDF.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe
    "C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe
      "C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe

Filesize
163KB

MD5
f211b2a65b7b68b0f41227e4cd10950d

SHA1
405da3b50ae13fd43fc01542bbf63769725a0da1

SHA256
def376b9ac2d5191e8ebdc283492141b24717f6b7c94a0044f42166e9f9ee8e5

SHA512
e7d99421172b93616045b678378600ec9b8a29d5792facb1ffff7ab04f1af6763332f285484c110ff29333325edd269627396e4cadd57dc856ba2a33de354de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe

Filesize
163KB

MD5
f211b2a65b7b68b0f41227e4cd10950d

SHA1
405da3b50ae13fd43fc01542bbf63769725a0da1

SHA256
def376b9ac2d5191e8ebdc283492141b24717f6b7c94a0044f42166e9f9ee8e5

SHA512
e7d99421172b93616045b678378600ec9b8a29d5792facb1ffff7ab04f1af6763332f285484c110ff29333325edd269627396e4cadd57dc856ba2a33de354de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dewrxmbi.exe

Filesize
163KB

MD5
f211b2a65b7b68b0f41227e4cd10950d

SHA1
405da3b50ae13fd43fc01542bbf63769725a0da1

SHA256
def376b9ac2d5191e8ebdc283492141b24717f6b7c94a0044f42166e9f9ee8e5

SHA512
e7d99421172b93616045b678378600ec9b8a29d5792facb1ffff7ab04f1af6763332f285484c110ff29333325edd269627396e4cadd57dc856ba2a33de354de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmlalbyztz.bu

Filesize
250KB

MD5
9e820721388ae8202acf48cfe7f292de

SHA1
13ebf9d0e5b7bd39e16050ec13aeaf56dbfd0fe4

SHA256
19740d5ebb50e60aae2d7af56df24458226fab04ba362a79fbcd7981e1b69aa3

SHA512
ef5196821b89948312db6383486a72048c3cafe4e08a6438b0f6ecb660df4b9482db5a8eec1ce3db96ec9132e5e065d984658490712feb7e9ad033c0d2adc6e5

Download Submit
memory/568-19-0x0000000000E50000-0x000000000119A000-memory.dmp

Filesize
3.3MB

Download
memory/568-20-0x0000000000490000-0x00000000004C6000-memory.dmp

Filesize
216KB

Download
memory/568-25-0x0000000000AF0000-0x0000000000B8C000-memory.dmp

Filesize
624KB

Download
memory/568-24-0x0000000000490000-0x00000000004C6000-memory.dmp

Filesize
216KB

Download
memory/568-15-0x0000000000490000-0x00000000004C6000-memory.dmp

Filesize
216KB

Download
memory/568-16-0x0000000000490000-0x00000000004C6000-memory.dmp

Filesize
216KB

Download
memory/568-21-0x0000000000AF0000-0x0000000000B8C000-memory.dmp

Filesize
624KB

Download
memory/3188-26-0x0000000002B80000-0x0000000002C23000-memory.dmp

Filesize
652KB

Download
memory/3188-22-0x0000000002B80000-0x0000000002C23000-memory.dmp

Filesize
652KB

Download
memory/3188-23-0x0000000002B80000-0x0000000002C23000-memory.dmp

Filesize
652KB

Download
memory/4344-14-0x0000000000D60000-0x0000000000D7D000-memory.dmp

Filesize
116KB

Download
memory/4344-18-0x0000000000D60000-0x0000000000D7D000-memory.dmp

Filesize
116KB

Download
memory/4344-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-10-0x0000000001210000-0x000000000155A000-memory.dmp

Filesize
3.3MB

Download
memory/4484-5-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing