c6ff81f2b369c6ccc684806cf3ea959bd99bcf14324d2e9f8885e27f5dc683a2

General

Target

2bf4c21348ce7b371d1f12dea9ef9460.exe
Size

583KB
MD5

2bf4c21348ce7b371d1f12dea9ef9460
SHA1

ce361e2e54434e2bfb3c4162c67ca6687af5ef7f
SHA256

c6ff81f2b369c6ccc684806cf3ea959bd99bcf14324d2e9f8885e27f5dc683a2
SHA512

8d73cc19d2241b7a4f1d3cde5b0240b640ac7f0f1c0e897af55d11ff84b836e582669e7891d901bbddb282d6a13cb21d6f90aab750a371114dc48b981e185104
SSDEEP

12288:Nc0VOi5w3nFKr9xvt1iGJ5ynomFW1c2obY7SPZxVq/P869t:Np8KwVKvvnnJ5Egocuqc6j

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2bf4c21348ce7b371d1f12dea9ef9460.exe

Executes dropped EXE 2 IoCs

pid	Process
5072	Server_Setup.exe
516	Hacker.com.cn.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\Server_Setup.jpg	2bf4c21348ce7b371d1f12dea9ef9460.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe
File opened for modification	C:\Windows\Hacker.com.cn.exe	Server_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	Server_Setup.exe
Token: SeDebugPrivilege	516	Hacker.com.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
516	Hacker.com.cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 5072	1468	2bf4c21348ce7b371d1f12dea9ef9460.exe	90
PID 1468 wrote to memory of 5072	1468	2bf4c21348ce7b371d1f12dea9ef9460.exe	90
PID 1468 wrote to memory of 5072	1468	2bf4c21348ce7b371d1f12dea9ef9460.exe	90
PID 516 wrote to memory of 640	516	Hacker.com.cn.exe	93
PID 516 wrote to memory of 640	516	Hacker.com.cn.exe	93

C:\Users\Admin\AppData\Local\Temp\2bf4c21348ce7b371d1f12dea9ef9460.exe
"C:\Users\Admin\AppData\Local\Temp\2bf4c21348ce7b371d1f12dea9ef9460.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe
  "C:\program files\common files\microsoft shared\msinfo\Server_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5072

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:640

C:\Windows\Hacker.com.cn.exe
C:\Windows\Hacker.com.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\Server_Setup.exe

Filesize
305KB

MD5
1518a96cff8763104aba6eb5212babad

SHA1
d0b9bf9b81881532d52a94e3c4f212de55251b7b

SHA256
92b839a4b43ac78c0ec269b993b418a2982f7d3308ee096e9eb19a87caa971cd

SHA512
fdc727f5e764bca56297926a7f982f490a8577364a66b991493cc30a3350ca97d36f31fae754a959cd61c27c6662cab7905beab889bb7ac2777b1d8e8193c030

Download Submit
C:\Windows\Hacker.com.cn.exe

Filesize
93KB

MD5
4ff9a2593fb56891e4153574f62b42ab

SHA1
d252e483e5453f7737bf349a641168a417982aab

SHA256
692bb8ce59e5829552968933a2cb6a24648e029247a10e7cd6c93b4aec7e595f

SHA512
d9fb505067a91b32920e023307aff9ef10bde8cc62c8b671e6a2a060a90f131926600cf8cec9669b7da88a10da55fd7044e166f333b2c761facbac932c82284c

Download Submit
memory/516-33-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/516-40-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/516-39-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/516-38-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/516-36-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/516-37-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1468-24-0x0000000002230000-0x0000000002280000-memory.dmp

Filesize
320KB

Download
memory/1468-8-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1468-5-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1468-4-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1468-3-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1468-2-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1468-1-0x0000000002230000-0x0000000002280000-memory.dmp

Filesize
320KB

Download
memory/1468-15-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1468-14-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/1468-23-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1468-11-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1468-10-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1468-9-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1468-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1468-7-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1468-6-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/5072-35-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/5072-26-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/5072-34-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/5072-27-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/5072-30-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/5072-25-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing