db3d549dfbf99200cca7bdbf396ab9d9cf8db722cbd286024791afe770393076

General

Target

39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe
Size

2.4MB
MD5

85038cc140f9cb15cffb03d2a8a6a19c
SHA1

d88a3bbbe6f1b6f223c3e70e5372415d80bb80a0
SHA256

39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d
SHA512

540cbf642379537c4ded992bf2725ab8f860d395299647f8f11f24dc3df9f3ba2d70d7232eac05306896778855702db5794e76592fbab03f4ccd72ad4d72a170
SSDEEP

24576:/9PkGgW8ugdGJYDLoL/vddOUmB5I4LjbrMChWVeTsAQYGixubMkeT:OwxH1ah4UTtQYVxub0

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	tmp2.exe

Executes dropped EXE 3 IoCs

pid	Process
2232	tmp1.jpg
3268	tmp2.exe
3556	drpbx.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-0-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4872-9-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	tmp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3556	drpbx.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3576	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	88
PID 4872 wrote to memory of 3576	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	88
PID 4872 wrote to memory of 3576	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	88
PID 3576 wrote to memory of 2232	3576	cmd.exe	91
PID 3576 wrote to memory of 2232	3576	cmd.exe	91
PID 3576 wrote to memory of 2232	3576	cmd.exe	91
PID 4872 wrote to memory of 3088	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	93
PID 4872 wrote to memory of 3088	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	93
PID 4872 wrote to memory of 3088	4872	39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe	93
PID 3088 wrote to memory of 3268	3088	cmd.exe	94
PID 3088 wrote to memory of 3268	3088	cmd.exe	94
PID 3268 wrote to memory of 3556	3268	tmp2.exe	97
PID 3268 wrote to memory of 3556	3268	tmp2.exe	97

C:\Users\Admin\AppData\Local\Temp\39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe
"C:\Users\Admin\AppData\Local\Temp\39a7b452a15a2753a88c8d6ebdcae163abfbb065a9ba7ffa5818a0bf7f6bd05d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start %temp%\tmp1.jpg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\tmp1.jpg
    C:\Users\Admin\AppData\Local\Temp\tmp1.jpg
    3⤵
    - Executes dropped EXE
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start %temp%\tmp2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    C:\Users\Admin\AppData\Local\Temp\tmp2.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
13KB

MD5
c51ad0a16c67bbffd87fce9476b3a682

SHA1
57a532f1834931e8c8fd7133ed0664084f3ec645

SHA256
ed76531abb05bd1ee2d25c2d1e6342f8282a8d5137ae219c6e38d9e9771899c0

SHA512
4d9c90898c645a699f0920928df2afbc0e1e11ee1c41ac5dec7c640f767b3c349336ec5de41b326f17f3c7a11030615772f5a546ece5168898c875c3149471c8

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
13KB

MD5
c51ad0a16c67bbffd87fce9476b3a682

SHA1
57a532f1834931e8c8fd7133ed0664084f3ec645

SHA256
ed76531abb05bd1ee2d25c2d1e6342f8282a8d5137ae219c6e38d9e9771899c0

SHA512
4d9c90898c645a699f0920928df2afbc0e1e11ee1c41ac5dec7c640f767b3c349336ec5de41b326f17f3c7a11030615772f5a546ece5168898c875c3149471c8

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
13KB

MD5
c51ad0a16c67bbffd87fce9476b3a682

SHA1
57a532f1834931e8c8fd7133ed0664084f3ec645

SHA256
ed76531abb05bd1ee2d25c2d1e6342f8282a8d5137ae219c6e38d9e9771899c0

SHA512
4d9c90898c645a699f0920928df2afbc0e1e11ee1c41ac5dec7c640f767b3c349336ec5de41b326f17f3c7a11030615772f5a546ece5168898c875c3149471c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.jpg

Filesize
2.2MB

MD5
2307e7cf6ec7aa1411186c88f0257c33

SHA1
f691f26db6d0e2405aac4c33e9bd8de5879d4467

SHA256
bbfaf2eeeaedb9a9010e8f063a1a9a7f6b40f4d5b2ad5a62c649ab1d56edffa7

SHA512
06012db7d552759d4330ccde763c6fcf2c69d0d547d656fa6bfdb0e32bee534fc81f0a18d4b39d26c849f64985fff6492f8a37fcc5594c9381c3acad19cdbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1.jpg

Filesize
2.2MB

MD5
2307e7cf6ec7aa1411186c88f0257c33

SHA1
f691f26db6d0e2405aac4c33e9bd8de5879d4467

SHA256
bbfaf2eeeaedb9a9010e8f063a1a9a7f6b40f4d5b2ad5a62c649ab1d56edffa7

SHA512
06012db7d552759d4330ccde763c6fcf2c69d0d547d656fa6bfdb0e32bee534fc81f0a18d4b39d26c849f64985fff6492f8a37fcc5594c9381c3acad19cdbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
13KB

MD5
c51ad0a16c67bbffd87fce9476b3a682

SHA1
57a532f1834931e8c8fd7133ed0664084f3ec645

SHA256
ed76531abb05bd1ee2d25c2d1e6342f8282a8d5137ae219c6e38d9e9771899c0

SHA512
4d9c90898c645a699f0920928df2afbc0e1e11ee1c41ac5dec7c640f767b3c349336ec5de41b326f17f3c7a11030615772f5a546ece5168898c875c3149471c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
13KB

MD5
c51ad0a16c67bbffd87fce9476b3a682

SHA1
57a532f1834931e8c8fd7133ed0664084f3ec645

SHA256
ed76531abb05bd1ee2d25c2d1e6342f8282a8d5137ae219c6e38d9e9771899c0

SHA512
4d9c90898c645a699f0920928df2afbc0e1e11ee1c41ac5dec7c640f767b3c349336ec5de41b326f17f3c7a11030615772f5a546ece5168898c875c3149471c8

Download Submit
memory/3268-10-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3268-11-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3268-13-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/3268-14-0x000000001C3F0000-0x000000001C48C000-memory.dmp

Filesize
624KB

Download
memory/3268-12-0x000000001BF20000-0x000000001C3EE000-memory.dmp

Filesize
4.8MB

Download
memory/3268-28-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3556-29-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3556-30-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/3556-31-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3556-32-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/3556-33-0x00007FF904B20000-0x00007FF9054C1000-memory.dmp

Filesize
9.6MB

Download
memory/3556-34-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4872-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4872-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads