0aff7bffd67ee87b6505d2cb5fcec2b65a797a8eadcf6820558e55f6ee00708d

General

Target

48585673bc326c4e4e5bcf11cec16a54.exe
Size

2.9MB
MD5

48585673bc326c4e4e5bcf11cec16a54
SHA1

2478bbf870c21568d3cf5348dab7a4ef46b31d99
SHA256

0aff7bffd67ee87b6505d2cb5fcec2b65a797a8eadcf6820558e55f6ee00708d
SHA512

ef2279dcf9c1c4988d590128e9b9b5730d06ea6f47bf258e6c256c1a337b62d25b133a6f95343731005d8c848309c13fc61bce404e43c3b4588970d4e61f41cf
SSDEEP

49152:A8Jie4sELb9UHgckhzU3oYD7rn1f3L2iPNJZkjVxYleAQ6xcs7+JuzE8IOkV59la:A8iLEMU3oYl3L2iPNrkjEleAewuaula

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	48585673bc326c4e4e5bcf11cec16a54.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	server.exe
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4680-21-0x0000000000400000-0x000000000084A000-memory.dmp	upx
behavioral2/files/0x000700000002323a-19.dat	upx
behavioral2/files/0x000700000002323a-18.dat	upx
behavioral2/memory/4680-37-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-71-0x0000000000400000-0x000000000084A000-memory.dmp	upx
behavioral2/memory/4680-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-52-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4680-98-0x0000000000400000-0x000000000084A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1020	1948	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	¸´¼þ 3-2HOMEÏ¡·¹.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe
4680	¸´¼þ 3-2HOMEÏ¡·¹.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1948	5076	48585673bc326c4e4e5bcf11cec16a54.exe	30
PID 5076 wrote to memory of 1948	5076	48585673bc326c4e4e5bcf11cec16a54.exe	30
PID 5076 wrote to memory of 1948	5076	48585673bc326c4e4e5bcf11cec16a54.exe	30
PID 5076 wrote to memory of 4680	5076	48585673bc326c4e4e5bcf11cec16a54.exe	27
PID 5076 wrote to memory of 4680	5076	48585673bc326c4e4e5bcf11cec16a54.exe	27
PID 5076 wrote to memory of 4680	5076	48585673bc326c4e4e5bcf11cec16a54.exe	27

C:\Users\Admin\AppData\Local\Temp\48585673bc326c4e4e5bcf11cec16a54.exe
"C:\Users\Admin\AppData\Local\Temp\48585673bc326c4e4e5bcf11cec16a54.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\¸´¼þ 3-2HOMEÏ¡·¹.exe
  "C:\Users\Admin\AppData\Local\Temp\¸´¼þ 3-2HOMEÏ¡·¹.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1948 -ip 1948
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 228
1⤵
- Program crash
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
20KB

MD5
32bbcad8a5617af8ad36bf63223ff784

SHA1
3e6a4b384d81dc9f244675666a224e081a22bc66

SHA256
86a919da6a9c3b3129c933e034cd67a418de208cbfe347942a1f565f12c4587f

SHA512
3068c2e899ab4a3b423d942fc41743976fbe6034877f67ee5bcea14074ff5048e93e700fb703909772ee723949517b7296c12fe4712862ef9b0205d4c87bfc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\¸´¼þ 3-2HOMEÏ¡·¹.exe

Filesize
382KB

MD5
a1c51951d6150588ecc82ebcea635abc

SHA1
78479c8b807103679166ee890b6c592e49b5cd7f

SHA256
e030f7877e248a9c7de9fb8814a626534ab41602f55ed2ba24b7c235781dad2f

SHA512
6154377999a624e745163f73ba4a8b4169376d75098eb5cc227f97d159d5aae16f18283a00d3c440317baf945bb30618a833dc15d6e8c334543ff660c730b2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\¸´¼þ 3-2HOMEÏ¡·¹.exe

Filesize
381KB

MD5
b8dc5762f77922a2c418697a7830e2e2

SHA1
15a5fbefe21f328e59443755af8b1c85f2dee186

SHA256
432a0e3714a922881586679added79090830ffb6fad46106d34cc9cffb79c64a

SHA512
418ce1d38b1b36c837c327fb8ac0f67b6056b5d270278770845ad27d2a644c9fe5fa50065fb42963bd24ae124c119552f30c5702402d0e2576a0a644f455da15

Download Submit
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

Filesize
110B

MD5
f9fc3e4f710ea6068eccca29ed784970

SHA1
eb6f961e7102e3aef227b204ff4dd9563f745812

SHA256
1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb

SHA512
b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed

Download Submit
memory/1948-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4680-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-21-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/4680-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-37-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-71-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/4680-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4680-98-0x0000000000400000-0x000000000084A000-memory.dmp

Filesize
4.3MB

Download
memory/5076-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing