29d6cc5359edb9b0e33c13dbc9db1c8d5defc0eb76c78cc77b6e941fcb202452

General

Target

05d269bf444039a67a4f672c3f3e8add.exe
Size

1.0MB
MD5

05d269bf444039a67a4f672c3f3e8add
SHA1

b477973cfa7b35ab7b757be6f1ea691ea73912d0
SHA256

29d6cc5359edb9b0e33c13dbc9db1c8d5defc0eb76c78cc77b6e941fcb202452
SHA512

dabfc2f0fc57d7813786f1861b1d4f09e80b538b89943b9dbb8ae3324e8e8f94b387dfabf22fcec9545fd2117640086c9698141c1f18f4f31b17bfc3669c91c3
SSDEEP

24576:TWfAedhvZ95Paor1WmDQT3DsZq7iHEPT02NNeiNCA7mY0:T0vZ95PvWR7wdEjNC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	05d269bf444039a67a4f672c3f3e8add.exe

Executes dropped EXE 1 IoCs

pid	Process
864	05745425.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\05745425 = "C:\\ProgramData\\05745425\\05745425.exe"	05d269bf444039a67a4f672c3f3e8add.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\05745425 = "C:\\PROGRA~3\\05745425\\05745425.exe"	05745425.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
864	05745425.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe
864	05745425.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1472	4600	05d269bf444039a67a4f672c3f3e8add.exe	88
PID 4600 wrote to memory of 1472	4600	05d269bf444039a67a4f672c3f3e8add.exe	88
PID 4600 wrote to memory of 1472	4600	05d269bf444039a67a4f672c3f3e8add.exe	88
PID 1472 wrote to memory of 3644	1472	cmd.exe	90
PID 1472 wrote to memory of 3644	1472	cmd.exe	90
PID 1472 wrote to memory of 3644	1472	cmd.exe	90
PID 3644 wrote to memory of 864	3644	cmd.exe	91
PID 3644 wrote to memory of 864	3644	cmd.exe	91
PID 3644 wrote to memory of 864	3644	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\05d269bf444039a67a4f672c3f3e8add.exe
"C:\Users\Admin\AppData\Local\Temp\05d269bf444039a67a4f672c3f3e8add.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\05745425\05745425.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\05745425\05745425.exe /install
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\PROGRA~3\05745425\05745425.exe
      C:\PROGRA~3\05745425\05745425.exe /install
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\05745425\05745425.exe

Filesize
855KB

MD5
cf0507aa58653688a07e1542abf67f58

SHA1
9cb3b4e8f858364ad94e912f1e5540bf181e9332

SHA256
e83710f18581adb967cd0ae01bd07093add68d0437f52296875b314cf115be4f

SHA512
df543dacaf655a1954cbe6a42320405ea1182f29dbf91e5cb69f7477ab7dbc18305758dcfb21f92285f4956ff2ab144aa89bf94ab529a8bb5dcc187473ddaff0

Download Submit
C:\ProgramData\05745425\05745425.bat

Filesize
236B

MD5
d25f24c073ca06aa8a13209a813f0743

SHA1
cc83efb9b9c6406a8e308f2da3c9e8723c4808f1

SHA256
4f570992421664db7a91f599c6a2a94dd6e91328075a4943b34215a56a1933ca

SHA512
a74d474bf8991cb08e11da46a615dd47d7d510dde8a7f3f110b415cd692645665dfd387cbff4279914f6ad636db9912d340da6ad061186994b79db12043f3dd2

Download Submit
C:\ProgramData\05745425\05745425.exe

Filesize
1.0MB

MD5
05d269bf444039a67a4f672c3f3e8add

SHA1
b477973cfa7b35ab7b757be6f1ea691ea73912d0

SHA256
29d6cc5359edb9b0e33c13dbc9db1c8d5defc0eb76c78cc77b6e941fcb202452

SHA512
dabfc2f0fc57d7813786f1861b1d4f09e80b538b89943b9dbb8ae3324e8e8f94b387dfabf22fcec9545fd2117640086c9698141c1f18f4f31b17bfc3669c91c3

Download Submit
memory/864-23-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-25-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-38-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-37-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-36-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-35-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-16-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-17-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/864-18-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/864-19-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/864-20-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-34-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-24-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/864-33-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-26-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/864-27-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/864-28-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-29-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-30-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/864-31-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4600-5-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4600-1-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4600-2-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/4600-3-0x0000000000840000-0x0000000000842000-memory.dmp

Filesize
8KB

Download
memory/4600-4-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/4600-10-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads