6c9b902b350f49296325ad3b63d2c9e72b8ae7549c4b2fbf1383c34e24014d69

General

Target

2e03274042622c7564d404ef935cb9af.exe
Size

80KB
MD5

2e03274042622c7564d404ef935cb9af
SHA1

1705a666d1391958c1b99c3b5d9b8b49ec146713
SHA256

6c9b902b350f49296325ad3b63d2c9e72b8ae7549c4b2fbf1383c34e24014d69
SHA512

d89cc35c6e5413c8c6c0d08502666407651e1442680a4d52587e0580818d92e446d79685927816a81c9152975ac1c9146c000366c5788d6f3a4fb4cf5bbadfcb
SSDEEP

1536:p5neEhlcTW5sk17tf2XvWINndIcN6Jg/ltEEWGklmKcXXF1ZIHgKwp:jnj97tfU+INndIc0JgtKbtmvFMmp

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\start.exe:*:Enabled:Windows Application Service"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	start.exe

Executes dropped EXE 2 IoCs

pid	Process
3216	start.exe
2536	RichVideoInstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e03274042622c7564d404ef935cb9af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2828	reg.exe
4876	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3216	start.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3216	3168	2e03274042622c7564d404ef935cb9af.exe	98
PID 3168 wrote to memory of 3216	3168	2e03274042622c7564d404ef935cb9af.exe	98
PID 3168 wrote to memory of 3216	3168	2e03274042622c7564d404ef935cb9af.exe	98
PID 3216 wrote to memory of 4864	3216	start.exe	97
PID 3216 wrote to memory of 4864	3216	start.exe	97
PID 3216 wrote to memory of 4864	3216	start.exe	97
PID 3216 wrote to memory of 4608	3216	start.exe	96
PID 3216 wrote to memory of 4608	3216	start.exe	96
PID 3216 wrote to memory of 4608	3216	start.exe	96
PID 4608 wrote to memory of 4876	4608	cmd.exe	94
PID 4608 wrote to memory of 4876	4608	cmd.exe	94
PID 4608 wrote to memory of 4876	4608	cmd.exe	94
PID 4864 wrote to memory of 2828	4864	cmd.exe	93
PID 4864 wrote to memory of 2828	4864	cmd.exe	93
PID 4864 wrote to memory of 2828	4864	cmd.exe	93
PID 3168 wrote to memory of 2536	3168	2e03274042622c7564d404ef935cb9af.exe	99
PID 3168 wrote to memory of 2536	3168	2e03274042622c7564d404ef935cb9af.exe	99
PID 3168 wrote to memory of 2536	3168	2e03274042622c7564d404ef935cb9af.exe	99

C:\Users\Admin\AppData\Local\Temp\2e03274042622c7564d404ef935cb9af.exe
"C:\Users\Admin\AppData\Local\Temp\2e03274042622c7564d404ef935cb9af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RichVideoInstall.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RichVideoInstall.exe
  2⤵
  - Executes dropped EXE
  PID:2536

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:2828

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe:*:Enabled:Windows Application Service" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\start.exe:*:Enabled:Windows Application Service" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "mW[íµˆÖ¾`=µú¾˜v%S8’ ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RichVideoInstall.exe

Filesize
53KB

MD5
023ea60c497954b1cb7e31db70855d6a

SHA1
ac88bf9a82abad1e4a3193066584fde82cdddd83

SHA256
cb70baf4499ac1d1f9852d4fc1bf8ab96f0f4d283168ad50e39121d3edc3d116

SHA512
909ba7284f305549729bfb26aa24efdb7d7764d8e2a42ab1a78deaaff0dd63dbe348d616cbc904a970854b281231919973f70b98be903aefafc10281ca7fa613

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads