6132fb32737a39524f33328f9317f329752a8dc10e705a8565b71fec755dc431

General

Target

ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe
Size

178KB
MD5

ee6bfd2f9b53ed923c3b10f3eeab3ed3
SHA1

22eab09935aba748fc208fcf7d533ad284895ddf
SHA256

6132fb32737a39524f33328f9317f329752a8dc10e705a8565b71fec755dc431
SHA512

aaed3c284202b58515dfcf71fa91e26fb2c66e033463660e9f0be9be94daede2352dac31cbc2ef76d7c38c1e6c6bfb316fe3649398d8dcea1d46be3942d9beef
SSDEEP

3072:3q6+ouCpk2mpcWJ0r+QNTBfmj8q6+ouCpk2mpcWJ0r+QNTBfmjW:3ldk1cWQRNTBej8ldk1cWQRNTBejW

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\setup.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\setup.bat"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\setup.bat	cmd.exe
File opened for modification	C:\Windows\setup.bat	cmd.exe
File opened for modification	C:\Windows\win.ini	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3336	taskkill.exe
2028	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3648	reg.exe
348	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1864	3120	ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe	89
PID 3120 wrote to memory of 1864	3120	ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe	89
PID 1864 wrote to memory of 3648	1864	cmd.exe	93
PID 1864 wrote to memory of 3648	1864	cmd.exe	93
PID 1864 wrote to memory of 348	1864	cmd.exe	94
PID 1864 wrote to memory of 348	1864	cmd.exe	94
PID 1864 wrote to memory of 4612	1864	cmd.exe	95
PID 1864 wrote to memory of 4612	1864	cmd.exe	95
PID 1864 wrote to memory of 3336	1864	cmd.exe	96
PID 1864 wrote to memory of 3336	1864	cmd.exe	96
PID 1864 wrote to memory of 3248	1864	cmd.exe	98
PID 1864 wrote to memory of 3248	1864	cmd.exe	98
PID 3248 wrote to memory of 3264	3248	net.exe	99
PID 3248 wrote to memory of 3264	3248	net.exe	99
PID 1864 wrote to memory of 788	1864	cmd.exe	100
PID 1864 wrote to memory of 788	1864	cmd.exe	100
PID 788 wrote to memory of 4956	788	net.exe	101
PID 788 wrote to memory of 4956	788	net.exe	101
PID 1864 wrote to memory of 932	1864	cmd.exe	102
PID 1864 wrote to memory of 932	1864	cmd.exe	102
PID 932 wrote to memory of 3800	932	net.exe	103
PID 932 wrote to memory of 3800	932	net.exe	103
PID 1864 wrote to memory of 2028	1864	cmd.exe	104
PID 1864 wrote to memory of 2028	1864	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe
"C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\465F.tmp\4670.tmp\4671.bat C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3648
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:348
- - C:\Windows\system32\mode.com
    mode 800
    3⤵
    PID:4612
- - C:\Windows\system32\taskkill.exe
    taskkill /IM explorer.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\system32\net.exe
    net user Admin /delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin /delete
      4⤵
      PID:3264
- - C:\Windows\system32\net.exe
    net user Admin /del
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin /del
      4⤵
      PID:4956
- - C:\Windows\system32\net.exe
    net stop "Themes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Themes"
      4⤵
      PID:3800
- - C:\Windows\system32\taskkill.exe
    taskkill /IM wininit.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\465F.tmp\4670.tmp\4671.bat

Filesize
2KB

MD5
2442a13b59684193d389f0cc947f44fa

SHA1
e9e39f1f080b827ef8df139501d3679332c4e2e5

SHA256
7d8cc630d28bef8c0ca5c34799e975159551f507c62db0d0cf09288960a4a6dc

SHA512
ae8f69330155a02ff9cd9f365322c7cf14bac8df288127f284ae1061e4adff5af2b35327596959ef7fb5e3191bfc4258629ef5fa9ff9ca5241bc45c785c1f789

Download Submit
C:\Windows\setup.bat

Filesize
178KB

MD5
ee6bfd2f9b53ed923c3b10f3eeab3ed3

SHA1
22eab09935aba748fc208fcf7d533ad284895ddf

SHA256
6132fb32737a39524f33328f9317f329752a8dc10e705a8565b71fec755dc431

SHA512
aaed3c284202b58515dfcf71fa91e26fb2c66e033463660e9f0be9be94daede2352dac31cbc2ef76d7c38c1e6c6bfb316fe3649398d8dcea1d46be3942d9beef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads