557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4

General

Target

557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe
Size

4.7MB
MD5

372e31f3518e30db46ce1a286e2cd32a
SHA1

fbb7aab65860fb8cc630dc369544638570cb73ad
SHA256

557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4
SHA512

86dc8b38af015d2a49e93ecef22430b2874fd795cb3d8161634152b017ef0228d9c54bff8673acd952b0233253ec6efbea86c734e1b7e363c20a8079a6f21c5d
SSDEEP

98304:pgKP3NrW4n9BFg1GjwxTNxlPCyOL0ty67cc+8hX8KZWvV74tal37GzDlwBdqOg6U:pg0Bj9BW1GUT+LWPZC4tai3Ogpm+14vo

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1832-0-0x0000000000400000-0x0000000000A39000-memory.dmp	upx
behavioral2/files/0x0006000000022e09-10.dat	upx
behavioral2/files/0x0006000000022e09-12.dat	upx
behavioral2/files/0x0006000000022e09-13.dat	upx
behavioral2/memory/4800-14-0x0000000000400000-0x0000000000616000-memory.dmp	upx
behavioral2/memory/1832-15-0x0000000000400000-0x0000000000A39000-memory.dmp	upx
behavioral2/memory/4800-16-0x0000000000400000-0x0000000000616000-memory.dmp	upx
behavioral2/memory/4800-20-0x0000000000400000-0x0000000000616000-memory.dmp	upx
behavioral2/memory/4800-24-0x0000000000400000-0x0000000000616000-memory.dmp	upx
behavioral2/memory/4800-27-0x0000000000400000-0x0000000000616000-memory.dmp	upx
behavioral2/memory/4800-31-0x0000000000400000-0x0000000000616000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Internet Explorer\International\Scripts\3	Update.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEFontSize = 00000000	Update.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4800	Update.exe
4800	Update.exe
4800	Update.exe
4800	Update.exe
4800	Update.exe
4800	Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4800	Update.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe
1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe
4800	Update.exe
4800	Update.exe
4800	Update.exe
4800	Update.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4800	1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe	89
PID 1832 wrote to memory of 4800	1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe	89
PID 1832 wrote to memory of 4800	1832	557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe	89

C:\Users\Admin\AppData\Local\Temp\557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe
"C:\Users\Admin\AppData\Local\Temp\557c887a13b202d0e85c778df313ba915ffa80e27731f16ba8a75f41e7832ce4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Update.exe" start
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll

Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
698KB

MD5
1a3f4fcbdb58a1f1785a251f00ef5db4

SHA1
86d773cd43982c1f2cae9c823e5f346de7b2d726

SHA256
05b9efa7d7eb9afb785202ab4498aae084f1b8ac4d0fd7e0f22dee4f1b3dcb12

SHA512
20cf75d13076f9f72783d11be1e73b5f3d46f78b0c7f53cc15808f7b651c610b0a701d8afe39785500d3ab78c3e5ad904d784b1798b114b3ca0a6949e2b4be38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
698KB

MD5
1a3f4fcbdb58a1f1785a251f00ef5db4

SHA1
86d773cd43982c1f2cae9c823e5f346de7b2d726

SHA256
05b9efa7d7eb9afb785202ab4498aae084f1b8ac4d0fd7e0f22dee4f1b3dcb12

SHA512
20cf75d13076f9f72783d11be1e73b5f3d46f78b0c7f53cc15808f7b651c610b0a701d8afe39785500d3ab78c3e5ad904d784b1798b114b3ca0a6949e2b4be38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
698KB

MD5
1a3f4fcbdb58a1f1785a251f00ef5db4

SHA1
86d773cd43982c1f2cae9c823e5f346de7b2d726

SHA256
05b9efa7d7eb9afb785202ab4498aae084f1b8ac4d0fd7e0f22dee4f1b3dcb12

SHA512
20cf75d13076f9f72783d11be1e73b5f3d46f78b0c7f53cc15808f7b651c610b0a701d8afe39785500d3ab78c3e5ad904d784b1798b114b3ca0a6949e2b4be38

Download Submit
memory/1832-0-0x0000000000400000-0x0000000000A39000-memory.dmp

Filesize
6.2MB

Download
memory/1832-15-0x0000000000400000-0x0000000000A39000-memory.dmp

Filesize
6.2MB

Download
memory/4800-14-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4800-16-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4800-20-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4800-24-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4800-27-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4800-31-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing