c8122debaede9ed9ffba560e7a8367c38801bc6879c51abaaf628a3e176cf1e1

General

Target

INQUIRY 020318.exe
Size

346KB
MD5

0ffecdb4854fd54be9dda9417016e658
SHA1

8b1053443c197b3938314fb30cf230708397dabb
SHA256

c8122debaede9ed9ffba560e7a8367c38801bc6879c51abaaf628a3e176cf1e1
SHA512

8f354ce0b53bebae40f0e82f32179ccdbe2c6ee50b10901ba52633b4c8d984b02230b4fd9b042fe95cb397673bab88b7c8075e2c323db88ae1a16ce0812cc121
SSDEEP

6144:JYa6oArDe5J9j8o36Lx54OANvTb9wMQPwi/8p66XNekUiDO4Gv:JYmAYt3sx2inoi0rXNe/i64Gv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\International\Geo\Nation	zxyrcvr.exe

Executes dropped EXE 2 IoCs

pid	Process
2592	zxyrcvr.exe
2704	zxyrcvr.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	INQUIRY 020318.exe
2592	zxyrcvr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2704	2592	zxyrcvr.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe
2704	zxyrcvr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2592	zxyrcvr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	zxyrcvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2592	1956	INQUIRY 020318.exe	28
PID 1956 wrote to memory of 2592	1956	INQUIRY 020318.exe	28
PID 1956 wrote to memory of 2592	1956	INQUIRY 020318.exe	28
PID 1956 wrote to memory of 2592	1956	INQUIRY 020318.exe	28
PID 2592 wrote to memory of 2704	2592	zxyrcvr.exe	29
PID 2592 wrote to memory of 2704	2592	zxyrcvr.exe	29
PID 2592 wrote to memory of 2704	2592	zxyrcvr.exe	29
PID 2592 wrote to memory of 2704	2592	zxyrcvr.exe	29
PID 2592 wrote to memory of 2704	2592	zxyrcvr.exe	29

C:\Users\Admin\AppData\Local\Temp\INQUIRY 020318.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY 020318.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe
  "C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe
    "C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ozwkmcvof.fwk

Filesize
231KB

MD5
9e6837fd3f391f0de77d6eb547ae6519

SHA1
ed263abb31e5564d56a6ee0f906a181aa4e0214d

SHA256
72f6b8017904e2f0cd22edf3c3d4b9a2391ac6eff86e23e12fd51c4044213995

SHA512
cd0a489925348cc8183ff07fa968437a547a4a9fe89cb5a57e422d538ac82a55ee6bf9b4a8111e0341ced3fe1db071b1ba3aa421728c0fdded484f698fc746d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe

Filesize
166KB

MD5
673a624938c204bfd3cf24f52d5c31b8

SHA1
911fbc951ea7fad146cc8d693ac2c5f24a113811

SHA256
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e

SHA512
8d9bc0be21d44dcecd8f348d71910d106d8022420ccf2a042bb3dc5de4b1e37f0b67547a5174963b188e81ce0d1af2670f0ce230f732b692d6f0d62bdde0619b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe

Filesize
166KB

MD5
673a624938c204bfd3cf24f52d5c31b8

SHA1
911fbc951ea7fad146cc8d693ac2c5f24a113811

SHA256
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e

SHA512
8d9bc0be21d44dcecd8f348d71910d106d8022420ccf2a042bb3dc5de4b1e37f0b67547a5174963b188e81ce0d1af2670f0ce230f732b692d6f0d62bdde0619b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxyrcvr.exe

Filesize
166KB

MD5
673a624938c204bfd3cf24f52d5c31b8

SHA1
911fbc951ea7fad146cc8d693ac2c5f24a113811

SHA256
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e

SHA512
8d9bc0be21d44dcecd8f348d71910d106d8022420ccf2a042bb3dc5de4b1e37f0b67547a5174963b188e81ce0d1af2670f0ce230f732b692d6f0d62bdde0619b

Download Submit
\Users\Admin\AppData\Local\Temp\zxyrcvr.exe

Filesize
166KB

MD5
673a624938c204bfd3cf24f52d5c31b8

SHA1
911fbc951ea7fad146cc8d693ac2c5f24a113811

SHA256
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e

SHA512
8d9bc0be21d44dcecd8f348d71910d106d8022420ccf2a042bb3dc5de4b1e37f0b67547a5174963b188e81ce0d1af2670f0ce230f732b692d6f0d62bdde0619b

Download Submit
\Users\Admin\AppData\Local\Temp\zxyrcvr.exe

Filesize
166KB

MD5
673a624938c204bfd3cf24f52d5c31b8

SHA1
911fbc951ea7fad146cc8d693ac2c5f24a113811

SHA256
ca010661d72f414fbe29b4d1582e7981d83c9d5139b5756578ec6c7e5f94201e

SHA512
8d9bc0be21d44dcecd8f348d71910d106d8022420ccf2a042bb3dc5de4b1e37f0b67547a5174963b188e81ce0d1af2670f0ce230f732b692d6f0d62bdde0619b

Download Submit
memory/2592-6-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2704-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-13-0x0000000000C90000-0x0000000000F93000-memory.dmp

Filesize
3.0MB

Download
memory/2704-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing