175915c9824c5b12ada7da526be511bc8416780451cb20f6aef8c934f0a12d05

General

Target

0adc5873f9235949fde032e26603f31c.exe
Size

1.9MB
MD5

0adc5873f9235949fde032e26603f31c
SHA1

8986003fb286adc1190c98957f8785535c2a0608
SHA256

175915c9824c5b12ada7da526be511bc8416780451cb20f6aef8c934f0a12d05
SHA512

be47230d9b68069aec3cd48bed4237bce943b3ff00fb0f2464d9357a4854eaa7e1c5161430705ecb9196e100c506b976d77be6bcb429077d454fa89ade4af79f
SSDEEP

49152:qQPBCVtjlqbmPverbIsbWtDgmlcnLNUt1dWthbbLI:qQPBCVtjTviIs6txlcnOt1dWtBbLI

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	0adc5873f9235949fde032e26603f31c.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	PhotoFiltre.exe

Loads dropped DLL 2 IoCs

pid	Process
5068	PhotoFiltre.exe
5068	PhotoFiltre.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/1936-164-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	0adc5873f9235949fde032e26603f31c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1564	WScript.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1564	WScript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1564	1936	0adc5873f9235949fde032e26603f31c.exe	35
PID 1936 wrote to memory of 1564	1936	0adc5873f9235949fde032e26603f31c.exe	35
PID 1936 wrote to memory of 1564	1936	0adc5873f9235949fde032e26603f31c.exe	35
PID 1936 wrote to memory of 5068	1936	0adc5873f9235949fde032e26603f31c.exe	94
PID 1936 wrote to memory of 5068	1936	0adc5873f9235949fde032e26603f31c.exe	94
PID 1936 wrote to memory of 5068	1936	0adc5873f9235949fde032e26603f31c.exe	94

C:\Users\Admin\AppData\Local\Temp\0adc5873f9235949fde032e26603f31c.exe
"C:\Users\Admin\AppData\Local\Temp\0adc5873f9235949fde032e26603f31c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\programi\PhotoFiltre\$$$ikona.vbs"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1564
- C:\programi\PhotoFiltre\PhotoFiltre.exe
  "C:\programi\PhotoFiltre\PhotoFiltre.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programi\PhotoFiltre\$$$ikona.vbs

Filesize
654B

MD5
017a0d5487f4bfcf83c32c1c905bb074

SHA1
27b797487892eec66fe570e5d3629342df7ffe44

SHA256
b4d395a8b7b1d42f3f4114d38a50bbc5de0e0d15c9003656acfb2d1d674398a9

SHA512
6560b18866fa77adff2ce31ddb2d5bf83047c7aff779cfe5c7444df45eeaa4c812dae7f828be988948de094e565b05ef3d17aa095468ab2b0554f773ae246dd1

Download Submit
C:\programi\PhotoFiltre\PhotoFiltre.exe

Filesize
9KB

MD5
83deb7410a29be8ced7a306b0a66b3cd

SHA1
feff68ea0a6d95615978405ea097f6b9b7cccda7

SHA256
7ddb994d8643c8de6022bd2bb1b66616b0abb4c3e8f29bd364cbaa755a1673dd

SHA512
eb8c061d92dcde5dd35346af60fd4e6c25e2ec818bd05eb00096035b8a5bbddaacf0f83f75a83a26c6e058deb237eba7c2675da6135766f88122056595bb5bc5

Download Submit
C:\programi\PhotoFiltre\PhotoFiltre.exe

Filesize
80KB

MD5
9f7a3b9bf8abb39da92e27e092b5594e

SHA1
d480548427a9e720e3b9295e6c128ec3d062e216

SHA256
2af4872f9e72c45b141eb0316546d78e8b417b3e807695a8d8add916b5ebe816

SHA512
4a3eb86c4ebd11cdfea78a11e3fd3e55ca24a534febb88a099e30dc7e7ebfb4aafccd31d2d936beb613a76edecb4ea9bcc16f04ad4ba6bac148de048c5becb00

Download Submit
C:\programi\PhotoFiltre\PhotoFiltre.ini

Filesize
24B

MD5
1bbd2d6e72a34eca640c49441394f48d

SHA1
b2ffc661b57f4192a11e9f7a0a2ac30d135c79e0

SHA256
141abac26d4d987fa571e7860beae799a09e678b1ade9c4d16c677edfb3c0e8e

SHA512
9ff350a323bc3a5088bad50da10f8fe29385b9998bf042f90a8127f88b4678ec5bd832ea04412cf82f92550dc06e8591d78f4b6272fee1a93c809a86259d9df9

Download Submit
C:\programi\PhotoFiltre\TranslationEN.plg

Filesize
64KB

MD5
457200d240bba11b420aa6520b2af324

SHA1
3a5909303310847d9323e7b1e31f6fe367661fdf

SHA256
d42d763293a27ae95bf4c101fdcdf3b187e8c3f4110ff01c9b8c85251dc42251

SHA512
d5e20212a0d2903d364ebcc2693519085bbc7a9c77aef928c98c51ce12dfce7de8d9ae4939173a3672460e5c77408124b9208c934e6bd70328813cf2dce06c44

Download Submit
C:\programi\PhotoFiltre\TranslationEN.plg

Filesize
55KB

MD5
1d004a144a3d4e67d5d31643217bbbf9

SHA1
5d94abbe870f2fb636ff40db535a149276f870b1

SHA256
79e87201f43356f4d71672852977afc22b8e4b4f5192a02366cdd826f1268ac6

SHA512
ee3d658fba8f9602bef3cee213930c56354dbd4975726bddd6f80605b629da64c49aecc7ad29479066561b4ddc3d0fc24db7a120bce71d49ee22e5a266b74d61

Download Submit
C:\programi\PhotoFiltre\TranslationEN.plg

Filesize
48KB

MD5
47d6301116ad2629a614fed089521715

SHA1
bad3fcaed79662ec7853a9b98079e8fd1ba21bcb

SHA256
64f672951613e05e1a2e532e9ac94a9153f81a4fbfcb2e59e72b9bf43a750bec

SHA512
a935e4941c704458d77cc2649520225fe5434c2b1f6df80193c15365cc49b5724d26019abb643ad0bd80848e381c69101eb117633d97baaff23068b72ed19375

Download Submit
memory/1936-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1936-164-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5068-169-0x00000000040B0000-0x00000000040CC000-memory.dmp

Filesize
112KB

Download
memory/5068-165-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5068-171-0x0000000000400000-0x00000000006CC000-memory.dmp

Filesize
2.8MB

Download
memory/5068-173-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing