10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d

General

Target

10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
Size

5.4MB
MD5

46c0b164fe00ae7ac205708a6e098da6
SHA1

1ff3a0ee285b6f70ee2e2113d8bc97c4c52a1c21
SHA256

10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d
SHA512

1aaf21ec93ef95ed0b52c421bd3b479318b48b2841b23e77c1819260ea47dc4e5262a1c39623a633c290f12f43830e31743de0d2be226364fa473ce210b04ad0
SSDEEP

98304:WM0FSUz4eSmbKFo2kcSrl6WgAPMUk9gNDdpl8wDkXDHnIbY/UeycSkg+PHjkengU:70IZAVaCOgfiDHUY/UrcSF+LFngR771/

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe

Executes dropped EXE 2 IoCs

pid	Process
4112	kmeiadfgdi.exe
4368	kmeiadfgdi.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/804-0-0x0000000000560000-0x0000000000811000-memory.dmp	upx
behavioral2/memory/804-6-0x0000000000560000-0x0000000000811000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MYPGNotes\AppleNote.exe	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-4RJ65.tmp	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-P0J73.tmp	kmeiadfgdi.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\unins000.dat	kmeiadfgdi.tmp
File opened for modification	C:\Program Files (x86)\MYPGNotes\Qt5Concurrent.dll	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\unins000.dat	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-B61F1.tmp	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-GNVDU.tmp	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-HL6Q2.tmp	kmeiadfgdi.tmp
File created	C:\Program Files (x86)\MYPGNotes\is-L16H1.tmp	kmeiadfgdi.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
4368	kmeiadfgdi.tmp
4368	kmeiadfgdi.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4368	kmeiadfgdi.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2212	804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	86
PID 804 wrote to memory of 2212	804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	86
PID 804 wrote to memory of 2212	804	10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe	86
PID 2212 wrote to memory of 4112	2212	cmd.exe	88
PID 2212 wrote to memory of 4112	2212	cmd.exe	88
PID 2212 wrote to memory of 4112	2212	cmd.exe	88
PID 4112 wrote to memory of 4368	4112	kmeiadfgdi.exe	89
PID 4112 wrote to memory of 4368	4112	kmeiadfgdi.exe	89
PID 4112 wrote to memory of 4368	4112	kmeiadfgdi.exe	89

C:\Users\Admin\AppData\Local\Temp\10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe
"C:\Users\Admin\AppData\Local\Temp\10f690fcab1b2e3686d5f3f2b25c71b52d8247036c34d0454933832141721b8d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe" /VERYSILENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe
    "C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\is-86E1R.tmp\kmeiadfgdi.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-86E1R.tmp\kmeiadfgdi.tmp" /SL5="$60208,232785,54272,C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-86E1R.tmp\kmeiadfgdi.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-86E1R.tmp\kmeiadfgdi.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmeiadfgdi.exe

Filesize
526KB

MD5
9beea33ea128fd25ad509ae7ff7bcff3

SHA1
3a87a124b47d68bf8eb1d1a4f9695fb2b2a52660

SHA256
e0634bc21490c472b233aaec047438feae557f0d57ea5b78b3b48260916e2b4e

SHA512
292996177bbb804ea3f6ad51fdb74707f1a1a35d50d8ae7b082d88cbb476bae1a883133c9e1dc4cefce78bc71f8d65276e5cdaeeef03088bc54beb41269dc5b3

Download Submit
memory/804-0-0x0000000000560000-0x0000000000811000-memory.dmp

Filesize
2.7MB

Download
memory/804-1-0x0000000010000000-0x0000000010298000-memory.dmp

Filesize
2.6MB

Download
memory/804-6-0x0000000000560000-0x0000000000811000-memory.dmp

Filesize
2.7MB

Download
memory/4112-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4112-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4368-17-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4368-45-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing