1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13

General

Target

ff03cb1d0fddde80c681ae5fe7ea2119.exe
Size

5.9MB
MD5

ff03cb1d0fddde80c681ae5fe7ea2119
SHA1

5f8a72a358608c1e650c4196ae3d9ffe498b1087
SHA256

1d29a82f343372d9ccc7ecd56d49b03b5dfcc2afb654de212c7fff5c67085f13
SHA512

0137c3ad8e8f5f72a4cda693b7a43e94d8941c2c2cdff79d0da5b6e310bba7edb7ea04a333fca4d233a92ede731e870a2bcee8f2663b8b69d49d95454d983902
SSDEEP

98304:yHZt5ZGYRjCQuTGOkb9uj5PPY3KuG7GJ9TYKdnSYL2wqcKCBYHDRJ/2LSH:Itl8TZP5oKuG7GJGKddL2wZdW1JDH

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	ff03cb1d0fddde80c681ae5fe7ea2119.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	XRJNZC.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3380-5-0x0000000000C80000-0x000000000179B000-memory.dmp	vmprotect
behavioral2/memory/3380-12-0x0000000000C80000-0x000000000179B000-memory.dmp	vmprotect
behavioral2/memory/3380-20-0x0000000000C80000-0x000000000179B000-memory.dmp	vmprotect
behavioral2/files/0x0007000000023232-23.dat	vmprotect
behavioral2/files/0x0007000000023232-22.dat	vmprotect
behavioral2/memory/1728-26-0x0000000000960000-0x000000000147B000-memory.dmp	vmprotect
behavioral2/memory/1728-31-0x0000000000960000-0x000000000147B000-memory.dmp	vmprotect
behavioral2/memory/1728-37-0x0000000000960000-0x000000000147B000-memory.dmp	vmprotect
behavioral2/memory/1728-39-0x0000000000960000-0x000000000147B000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3904	1728	WerFault.exe	95

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4392	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3380	ff03cb1d0fddde80c681ae5fe7ea2119.exe
3380	ff03cb1d0fddde80c681ae5fe7ea2119.exe
1728	XRJNZC.exe
1728	XRJNZC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3368	3380	ff03cb1d0fddde80c681ae5fe7ea2119.exe	91
PID 3380 wrote to memory of 3368	3380	ff03cb1d0fddde80c681ae5fe7ea2119.exe	91
PID 3380 wrote to memory of 3368	3380	ff03cb1d0fddde80c681ae5fe7ea2119.exe	91
PID 3368 wrote to memory of 4392	3368	cmd.exe	93
PID 3368 wrote to memory of 4392	3368	cmd.exe	93
PID 3368 wrote to memory of 4392	3368	cmd.exe	93
PID 3368 wrote to memory of 1728	3368	cmd.exe	95
PID 3368 wrote to memory of 1728	3368	cmd.exe	95
PID 3368 wrote to memory of 1728	3368	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\ff03cb1d0fddde80c681ae5fe7ea2119.exe
"C:\Users\Admin\AppData\Local\Temp\ff03cb1d0fddde80c681ae5fe7ea2119.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2lw.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4392
- - C:\ProgramData\pinterests\XRJNZC.exe
    "C:\ProgramData\pinterests\XRJNZC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 628
      4⤵
      Program crash
      PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1728 -ip 1728
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pinterests\XRJNZC.exe

Filesize
601KB

MD5
6ee760312b7019cd4dc3d00eadf5809c

SHA1
88e86912f52bc9aa204cab68aa8b7f0efb7bd899

SHA256
997c9a0f29a63e70f9b7666141d2d8352488eeb89dc45b8ea78020ad4a95474e

SHA512
43bec1d0bddffab48d92bbfc6c64c9c317f713cfa2ce3bc861c065ede6787fef606b8070f616d5dc907536f4359176a6d29a01943a5c67f40d040ba3bf4c9e13

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
481KB

MD5
da9b054395b024ad80f619351a421378

SHA1
0a2a86ff8be9e623fb63f6f64c1de51850e3c908

SHA256
ba539f8c17859954a0cd56222ad6e181bc9e19e8014cbc22e78927a1d9e8f898

SHA512
c3fb2102e5f1c52e5b80f2ee43603ab9644b1866a93e831c81df24a424da5b08c4010cad6c24a6a4f7bf4a0ee5f3123967533a979e460a7ef91f05883cf9db31

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2lw.0.bat

Filesize
176B

MD5
6f551400d75a3c7a106ba1c8ab1048f6

SHA1
c822b84bf307d39583707aaf26d633d22ee7105c

SHA256
7ddfd1e4a141cfe56cb62788f7350513638904c98c75e0487c7d79b24973f2a2

SHA512
1485e7888faa1538754e3dfad883e7899e93f2b3ea2d73406948939b7c2caabb645c38e16429f6d9d6d5a37c5c95ef92c553499197b3ad6c2455f4566460c86b

Download Submit
memory/1728-26-0x0000000000960000-0x000000000147B000-memory.dmp

Filesize
11.1MB

Download
memory/1728-31-0x0000000000960000-0x000000000147B000-memory.dmp

Filesize
11.1MB

Download
memory/1728-39-0x0000000000960000-0x000000000147B000-memory.dmp

Filesize
11.1MB

Download
memory/1728-37-0x0000000000960000-0x000000000147B000-memory.dmp

Filesize
11.1MB

Download
memory/1728-24-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1728-30-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1728-29-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1728-27-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1728-28-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1728-25-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3380-1-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/3380-2-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/3380-0-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3380-4-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/3380-3-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/3380-20-0x0000000000C80000-0x000000000179B000-memory.dmp

Filesize
11.1MB

Download
memory/3380-12-0x0000000000C80000-0x000000000179B000-memory.dmp

Filesize
11.1MB

Download
memory/3380-6-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/3380-5-0x0000000000C80000-0x000000000179B000-memory.dmp

Filesize
11.1MB

Download

Analysis

Sharing