35f52c888cf98ee94556f754fe6c1c98bc3a80f60c72a08e72e4eb40839d4a6d

General

Target

2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Size

55KB
MD5

2c3d49b9fd9f7cdc0f45f7d7da65dcb4
SHA1

7797ee836725cbf635a6f9ffd093eaf815ca9734
SHA256

35f52c888cf98ee94556f754fe6c1c98bc3a80f60c72a08e72e4eb40839d4a6d
SHA512

1d9ab529725d129656c30972d30942cfda81d5751be73f82e09272cfb8db5a9ca12e41697950f5a47b6c3615cd1c143c24fe6bfd750dbb68d3c9d310bc2337fb
SSDEEP

768:Oe3PFaDVyOQgljLDKRJyM3BmsHzSB4us/wJJapg4RoSMZeUZB/QosWpH+DrCUpff:V3cpyORJLuB4P4AJJv4Romu/9tpvUZP

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe

Loads dropped DLL 1 IoCs

pid	Process
4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\ie13\Internat Explorer\Desktop.ini	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\ie13\Internat Explorer\Desktop.ini	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
File created	C:\Program Files (x86)\Microsoft\ie13\Internat Explorer\target.lnk	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
File opened for modification	C:\Program Files (x86)\Microsoft\ie13\Internat Explorer	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\shell	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jgp\ = "jgpfile"	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\DefaultIcon	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\shell\open\command	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jgp	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\DefaultIcon\ = "%1"	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\shell\open	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jgpfile\shell\open\command\ = "explorer \"C:\\Program Files (x86)\\Microsoft\\%*ie%S3\\%2Internat Explorer\""	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 700	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	86
PID 4984 wrote to memory of 700	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	86
PID 4984 wrote to memory of 700	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	86
PID 4984 wrote to memory of 1096	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	91
PID 4984 wrote to memory of 1096	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	91
PID 4984 wrote to memory of 1096	4984	2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe
"C:\Users\Admin\AppData\Local\Temp\2c3d49b9fd9f7cdc0f45f7d7da65dcb4.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" "C:\Program Files (x86)\Microsoft\ie13\Internat Explorer" +s
  2⤵
  - Drops file in Program Files directory
  - Views/modifies file attributes
  PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "
  2⤵
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb4AA7.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.bat

Filesize
186B

MD5
ec8be1724964689b07d4b95788b6d616

SHA1
6d74c0ccf560d192fa03c4442b91995a57d77506

SHA256
6c661ee097eae66a9038b3b4c27515482d429a44d8ccda80d6cc1df018ace0c2

SHA512
b7e6a16c73f5866e8166564ed6fcab04faf93f66ec78b928c7e7b5a042f64938061d8e044d43c8e53596f96632dc8f894dbb4781c9b5be58e839cd07500b4d31

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads