39d5eceac8e9401ee6f52340cafc3e7ffc7a3385a8cb5b86d830e9a40ad1e600

General

Target

0a3fbc500cc62d841596b09ca3c26a15.exe
Size

427KB
MD5

0a3fbc500cc62d841596b09ca3c26a15
SHA1

f833fbe67258de2b4a16daedce7374c05c7ef02a
SHA256

39d5eceac8e9401ee6f52340cafc3e7ffc7a3385a8cb5b86d830e9a40ad1e600
SHA512

2ebb93672215a288093e6a4159be0723dfcdba3789af461639f4507e45a82b243d8d0ca15f48b4da7b2bee5033288eb288c0782ee42dd10f83de5fe7012e8ff2
SSDEEP

12288:c8P9IOAJOOFJzdrkzlJcsWsHMYaKf5vNZx:rlSJOOFJzJUlJcsWsHLaK5N/

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	0a3fbc500cc62d841596b09ca3c26a15.exe

Executes dropped EXE 3 IoCs

pid	Process
2592	craagle4.exe
4660	craagle4.exe
1728	craagle4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2364-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2364-1-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2364-2-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/2364-20-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 4660	2592	craagle4.exe	93
PID 4660 set thread context of 1728	4660	craagle4.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4660	craagle4.exe
4660	craagle4.exe
1728	craagle4.exe
1728	craagle4.exe
1728	craagle4.exe
1728	craagle4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2592	craagle4.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2592	2364	0a3fbc500cc62d841596b09ca3c26a15.exe	92
PID 2364 wrote to memory of 2592	2364	0a3fbc500cc62d841596b09ca3c26a15.exe	92
PID 2364 wrote to memory of 2592	2364	0a3fbc500cc62d841596b09ca3c26a15.exe	92
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 2592 wrote to memory of 4660	2592	craagle4.exe	93
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 4660 wrote to memory of 1728	4660	craagle4.exe	94
PID 1728 wrote to memory of 3268	1728	craagle4.exe	47
PID 1728 wrote to memory of 3268	1728	craagle4.exe	47
PID 1728 wrote to memory of 3268	1728	craagle4.exe	47
PID 1728 wrote to memory of 3268	1728	craagle4.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\0a3fbc500cc62d841596b09ca3c26a15.exe
  "C:\Users\Admin\AppData\Local\Temp\0a3fbc500cc62d841596b09ca3c26a15.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\craagle4.exe
    "C:\Users\Admin\AppData\Local\Temp\craagle4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\craagle4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\craagle4.exe
        
        C:\Users\Admin\AppData\Local\Temp\craagle4.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\craagle4.exe

Filesize
372KB

MD5
bd7171acaa41c70629f4f1a166735333

SHA1
74327f1015e6a2a6b14a22a2bb77642cfb1c5dce

SHA256
e84ce4e303692d0b243d61437c35c76af7aa95eefc637c4e6c49e6f71f7b0fa7

SHA512
3a41071635581f90e1fd5ac30e2a6b401074de7ea8c954c96176d5e87b07e68ff0b07e6d50e4a9ee62bd1dd8a19b30eeb450ff792290d6b8ac7e9f4c6d8a7dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\craagle4.exe

Filesize
353KB

MD5
6963fcda7a1503b519730e6180e8dec3

SHA1
88025d0fe7d6940265c6f34453d6b345d919be4e

SHA256
a7a6bb729bfdc65f4ed98f35724148ed5f2ba3670f881335c462bcaddcfffa2e

SHA512
6d9422d2dacdcf65c775bcfcf740d2316b97fee9140f68c76fefe6f9b961b632186d6a168de9cb6fbb2c095293e76d50c59b0c3a7540c3b793ef219fb1771421

Download Submit
C:\Users\Admin\AppData\Local\Temp\craagle4.exe

Filesize
200KB

MD5
bc048a66aba616542e1ebc4e29535d63

SHA1
fa2deab5ae2c598b027df6c1c07a67cb5e6f3e16

SHA256
8401652250ec1b26e0d5c828bca271669aae5d074b97c42e533d344842e6e535

SHA512
96cbd7097dd4249fb5bce141c0a6c0e0338c778b092f921777fa67ac4c58ca36bcc706f35e98457f03c9cf7ca3f74a544f2ec14e2cc9c51093da0af7c1c67d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\craagle4.exe

Filesize
233KB

MD5
956817ed472e73fc251dd714d5d1bc8d

SHA1
1ae55292b46c1fe889774ea9aee7572a3061014d

SHA256
5d15c73a22d13a694f258f71fc466d7cf4b71fb8f44c5993465b180b053e8b78

SHA512
2828f06d5d581920957879c19087a9365735604140a6f7c4fd3d6cad886adfb01e710fa018c584cdf1544244717686dea424d14c2272bdd5185764dd4ea1ac7e

Download Submit
memory/1728-42-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1728-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1728-51-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1728-49-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1728-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-22-0x0000000002050000-0x0000000002054000-memory.dmp

Filesize
16KB

Download
memory/2592-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-29-0x00000000777A3000-0x00000000777A4000-memory.dmp

Filesize
4KB

Download
memory/2592-28-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2592-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-27-0x00000000777A2000-0x00000000777A3000-memory.dmp

Filesize
4KB

Download
memory/2592-43-0x0000000077490000-0x0000000077580000-memory.dmp

Filesize
960KB

Download
memory/2592-23-0x0000000002090000-0x00000000020C9000-memory.dmp

Filesize
228KB

Download
memory/2592-30-0x0000000077490000-0x0000000077580000-memory.dmp

Filesize
960KB

Download
memory/2592-24-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2592-32-0x0000000077793000-0x0000000077794000-memory.dmp

Filesize
4KB

Download
memory/2592-26-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/2592-41-0x0000000002090000-0x00000000020C9000-memory.dmp

Filesize
228KB

Download
memory/2592-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3268-50-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3268-52-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/4660-38-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4660-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4660-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4660-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing