24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726

General

Target

24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
Size

399KB
MD5

915b603cf3096bdd238cfe0a03922b64
SHA1

d95e627f5f08f1b23a8ed595dc3b13129daa7545
SHA256

24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726
SHA512

017aa2ebacb45120dddbb3c17c4836d947b7921b6c2f966331158aa2fe78b1da40e077805a4c0b4c23f8ddc5ef0f76184948390f771b59c86a94998ab463c75f
SSDEEP

12288:CKwdk5r64i/IIjavqLJbgdoNaJCxtNPl6:CKkk5r64igFvoQJQtNd6

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe

Executes dropped EXE 3 IoCs

pid	Process
1260	TrZVmTFKaJ.exe
4704	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2380-22-0x0000000000820000-0x000000000082B000-memory.dmp	upx
behavioral2/memory/2380-25-0x0000000000820000-0x000000000082B000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TrZVmTFKaJ.exe	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
File opened for modification	C:\Windows\SysWOW64\TrZVmTFKaJ.exe	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
File created	C:\Windows\SysWOW64\TrZVmTFKaJ.exe	TrZVmTFKaJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4352	2380	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
1260	TrZVmTFKaJ.exe
1260	TrZVmTFKaJ.exe
4704	TrZVmTFKaJ.exe
4704	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
1260	TrZVmTFKaJ.exe
1260	TrZVmTFKaJ.exe
4704	TrZVmTFKaJ.exe
4704	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe
2380	TrZVmTFKaJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1260	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	88
PID 4060 wrote to memory of 1260	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	88
PID 4060 wrote to memory of 1260	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	88
PID 4704 wrote to memory of 2380	4704	TrZVmTFKaJ.exe	90
PID 4704 wrote to memory of 2380	4704	TrZVmTFKaJ.exe	90
PID 4704 wrote to memory of 2380	4704	TrZVmTFKaJ.exe	90
PID 4060 wrote to memory of 1660	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	91
PID 4060 wrote to memory of 1660	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	91
PID 4060 wrote to memory of 1660	4060	24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe	91

C:\Users\Admin\AppData\Local\Temp\24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe
"C:\Users\Admin\AppData\Local\Temp\24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\TrZVmTFKaJ.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd/cping-n2127.0.0.1>nulC:\Users\Admin\AppData\Local\Temp\[email protected]>nul
  2⤵
  PID:1660

C:\Windows\SysWOW64\TrZVmTFKaJ.exe
C:\Windows\SysWOW64\TrZVmTFKaJ.exe Service 1
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\TrZVmTFKaJ.exe
  -a1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 904
    3⤵
    - Program crash
    PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2380 -ip 2380
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\TrZVmTFKaJ.exe

Filesize
399KB

MD5
915b603cf3096bdd238cfe0a03922b64

SHA1
d95e627f5f08f1b23a8ed595dc3b13129daa7545

SHA256
24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726

SHA512
017aa2ebacb45120dddbb3c17c4836d947b7921b6c2f966331158aa2fe78b1da40e077805a4c0b4c23f8ddc5ef0f76184948390f771b59c86a94998ab463c75f

Download Submit
C:\Windows\SysWOW64\TrZVmTFKaJ.exe

Filesize
399KB

MD5
915b603cf3096bdd238cfe0a03922b64

SHA1
d95e627f5f08f1b23a8ed595dc3b13129daa7545

SHA256
24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726

SHA512
017aa2ebacb45120dddbb3c17c4836d947b7921b6c2f966331158aa2fe78b1da40e077805a4c0b4c23f8ddc5ef0f76184948390f771b59c86a94998ab463c75f

Download Submit
C:\Windows\SysWOW64\TrZVmTFKaJ.exe

Filesize
399KB

MD5
915b603cf3096bdd238cfe0a03922b64

SHA1
d95e627f5f08f1b23a8ed595dc3b13129daa7545

SHA256
24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726

SHA512
017aa2ebacb45120dddbb3c17c4836d947b7921b6c2f966331158aa2fe78b1da40e077805a4c0b4c23f8ddc5ef0f76184948390f771b59c86a94998ab463c75f

Download Submit
C:\Windows\SysWOW64\TrZVmTFKaJ.exe

Filesize
399KB

MD5
915b603cf3096bdd238cfe0a03922b64

SHA1
d95e627f5f08f1b23a8ed595dc3b13129daa7545

SHA256
24c665ef8b4e0210234fa029bc6efd3420ab665742528bce0ae404e483740726

SHA512
017aa2ebacb45120dddbb3c17c4836d947b7921b6c2f966331158aa2fe78b1da40e077805a4c0b4c23f8ddc5ef0f76184948390f771b59c86a94998ab463c75f

Download Submit
memory/1260-19-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-9-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-8-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-22-0x0000000000820000-0x000000000082B000-memory.dmp

Filesize
44KB

Download
memory/2380-14-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-26-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-25-0x0000000000820000-0x000000000082B000-memory.dmp

Filesize
44KB

Download
memory/2380-24-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2380-23-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2380-18-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4060-20-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4060-0-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4060-3-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4060-2-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4060-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4704-16-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4704-12-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4704-11-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing