12c1a04a01b2a50126523be7f39bea8afbd17786104e1111628ffb953f2dee2c

General

Target

1e71ff872199864b856503a8972d658d.exe
Size

3.6MB
MD5

1e71ff872199864b856503a8972d658d
SHA1

424929f8685948678b8a7ec501081fbd7a37277b
SHA256

12c1a04a01b2a50126523be7f39bea8afbd17786104e1111628ffb953f2dee2c
SHA512

00f6a588adef8a86697d5e1c1b22101d7aee983c70462ffb28c5887d9a5f8f76a6ad660d81149b09649be482a7d1601578d64869dbc0cf0fd2c44d420b362382
SSDEEP

98304:1u7AEvgVOhaHaEtPW/w2mCzdccnaZjwEktE:QAEvgVOhoD66c0w3tE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	1e71ff872199864b856503a8972d658d.tmp

Executes dropped EXE 2 IoCs

pid	Process
4104	1e71ff872199864b856503a8972d658d.tmp
2440	setup.exe

Loads dropped DLL 17 IoCs

pid	Process
4104	1e71ff872199864b856503a8972d658d.tmp
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe
2440	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2440	setup.exe
2440	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4104	3272	1e71ff872199864b856503a8972d658d.exe	89
PID 3272 wrote to memory of 4104	3272	1e71ff872199864b856503a8972d658d.exe	89
PID 3272 wrote to memory of 4104	3272	1e71ff872199864b856503a8972d658d.exe	89
PID 4104 wrote to memory of 2440	4104	1e71ff872199864b856503a8972d658d.tmp	94
PID 4104 wrote to memory of 2440	4104	1e71ff872199864b856503a8972d658d.tmp	94
PID 4104 wrote to memory of 2440	4104	1e71ff872199864b856503a8972d658d.tmp	94

C:\Users\Admin\AppData\Local\Temp\1e71ff872199864b856503a8972d658d.exe
"C:\Users\Admin\AppData\Local\Temp\1e71ff872199864b856503a8972d658d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\is-EKUOL.tmp\1e71ff872199864b856503a8972d658d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EKUOL.tmp\1e71ff872199864b856503a8972d658d.tmp" /SL5="$60066,3509953,66560,C:\Users\Admin\AppData\Local\Temp\1e71ff872199864b856503a8972d658d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\tmp2023104040\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp2023104040\setup.exe" /path="C:\Users\Admin\AppData\Local\Temp\1e71ff872199864b856503a8972d658d.exe" /pn=mf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-C9R83.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C9R83.tmp\setup.exetmp

Filesize
96KB

MD5
a8ead75e9ce7ffde0c93b02c78482c71

SHA1
3a1c3af254d889795e4408cc06d01ccdc93be259

SHA256
226e17ede7185fa615d3282b7e84ccbf7d420ce39be97094f386d61a629d545b

SHA512
7ba7bb2b4640cd41f7abb8179e420886760f7d75bb56e05341212c71039af88c9fc8b347382f18c5b17067e7571d3666e76f7e57d86f52fc8081be56faecf2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EKUOL.tmp\1e71ff872199864b856503a8972d658d.tmp

Filesize
701KB

MD5
5d66e66c72bb42c3f33d3ac15acf1445

SHA1
011ab6d35c38f292f65d3904a81a405fe33e7868

SHA256
928c908d46e033a2e973d536f4aec718edcd7f214376010cd28567d05174cf98

SHA512
3061de25914b17908f2d6d3a85c30f0b3d75a06d866c528c273132b84933b0ee180b13ae95472e80bff9487c875763fe08351ccb30535d00935eb04b0f3b1e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2023104040\rtl140.bpl

Filesize
382KB

MD5
93ff732878418da194278b60d7a59e8a

SHA1
cd8c47f1c678ace49da2398433679d9df3095e62

SHA256
44e0ea7188380d7178d62d37e61ebdf4c771cd4231edfe08aa5491bfca0c5650

SHA512
dd7a1c384324fa35d848daaa5c2e3b7b7bc7dc4e25f84f3dc96751412b8e92553f0845030c0cef7d54e91efa92b68c939efee9243975a80b397e9569eb92ab59

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2023104040\setup.exe

Filesize
1.6MB

MD5
6fb9303fab9235f6beaab431d05848cf

SHA1
a870518742efc0d12733adb6b913753e84987b93

SHA256
899753e746603830bfd746915c77ef8113dcc41dadb9ed0bc859b0aaaa24e7cd

SHA512
af822f5eed924b842db6ba53ac9360ef6bebccc2499b92c18fc7fd63e2c22f5c009c833bb5e4ee6c72e0113b75012ee650455597f9425c90c071c2e556123705

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2023104040\setup.exe

Filesize
92KB

MD5
00ca6bc288884c685015c816a83bba15

SHA1
81c661032779d41cd9c38f2d4b84d2ba577cd0b7

SHA256
d16dd0894d746db75d1cad807caa5a66002228db30969dd509b7ff5e3dbfc095

SHA512
b7428c03952f9b0d9e97603f3bacb6e676a33d2bd742861e219ce71b081bba87c1446486f293afc7036089e11e011f58d1ca048bb79af141cebe85bd4dafa2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2023104040\vcl140.bpl

Filesize
381KB

MD5
3490c43185c7c55ff9cff4aa4f9afc8d

SHA1
b5e93459cc5714ffa3d0ea1811872aac2f32c886

SHA256
00b9a3c77d683c551433f9792fef79949c16217bd35ab7862b42380eb49cc518

SHA512
894616f0910f853a8f07ee9eec3d1f895faa8560233495b374ef4b9e916c480205149956d0bab7b0c450e173484d4332862bce1c466c89839b4e7760edcdb920

Download Submit
memory/2440-251-0x0000000050420000-0x000000005045F000-memory.dmp

Filesize
252KB

Download
memory/2440-250-0x00000000501C0000-0x000000005041C000-memory.dmp

Filesize
2.4MB

Download
memory/2440-260-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2440-248-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2440-249-0x0000000050000000-0x00000000501C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-241-0x0000000002490000-0x000000000266B000-memory.dmp

Filesize
1.9MB

Download
memory/2440-243-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2440-253-0x0000000002490000-0x000000000266B000-memory.dmp

Filesize
1.9MB

Download
memory/2440-252-0x0000000040830000-0x0000000040884000-memory.dmp

Filesize
336KB

Download
memory/3272-2-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3272-239-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3272-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4104-7-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4104-220-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing