27e94d4a8932c0d19a84970078f2d11824d2e9edafc5cf221d41ff1c63e47dec

General

Target

63bd9e5523c85c4da4cac440a777f1c2.exe
Size

1.4MB
MD5

63bd9e5523c85c4da4cac440a777f1c2
SHA1

88d9f376ecbf824ad5c9b9dc47a76fafda45a499
SHA256

27e94d4a8932c0d19a84970078f2d11824d2e9edafc5cf221d41ff1c63e47dec
SHA512

eacdd1ca9cf49da0212a29b9428c879236bfc7ea9d497b05327bc321b9b2fe5c6dd7bcf6500f5c6b49ac6be4541c02c65556e5f3716d93decab7fce18f711ebb
SSDEEP

24576:pKGeJlka1TqUcEAKrfWmQfBZrZFfYDNoF+GoDWU98VRck3CJIdF9Am69Qaro65ya:GkN48BnFAawDWn7b3MIdF3aMEya

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	63bd9e5523c85c4da4cac440a777f1c2.exe

Executes dropped EXE 3 IoCs

pid	Process
4872	usnscv.exe
3156	usnscv.exe
1492	BES.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usnscv.exe = "\"C:\\Users\\Admin\\AppData\\Local\\usnscv.exe\" /background"	usnscv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 4872 set thread context of 3156	4872	usnscv.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1492	BES.exe
1492	BES.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1492	BES.exe
1492	BES.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1492	BES.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 1384 wrote to memory of 4872	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	94
PID 4872 wrote to memory of 3156	4872	usnscv.exe	93
PID 4872 wrote to memory of 3156	4872	usnscv.exe	93
PID 4872 wrote to memory of 3156	4872	usnscv.exe	93
PID 4872 wrote to memory of 3156	4872	usnscv.exe	93
PID 4872 wrote to memory of 3156	4872	usnscv.exe	93
PID 1384 wrote to memory of 1492	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	95
PID 1384 wrote to memory of 1492	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	95
PID 1384 wrote to memory of 1492	1384	63bd9e5523c85c4da4cac440a777f1c2.exe	95

C:\Users\Admin\AppData\Local\Temp\63bd9e5523c85c4da4cac440a777f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\63bd9e5523c85c4da4cac440a777f1c2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\usnscv.exe
  "C:\Users\Admin\AppData\Local\usnscv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4872
- C:\Users\Admin\AppData\Local\BES.exe
  "C:\Users\Admin\AppData\Local\BES.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1492

C:\Users\Admin\AppData\Local\usnscv.exe
"C:\Users\Admin\AppData\Local\usnscv.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BES.exe

Filesize
188KB

MD5
1df0316c621326fe3b73d3ea3ae9bce4

SHA1
69ce2ffd76823cf1cca19b3004d93436f3ab10ff

SHA256
cdd0b5fcc9c56ae1cc81a84aca6ec9dced7383a1687cffab6aedeee290382bf5

SHA512
e7353286508e6da3c66f6cc4d93eb9570a87e7fb0a7afe99bad47b7918f5c4ed0fa34c2521f0bb4d2e22bf4453dc49048bc91c3aa0b733b1fb1323ee2e18011c

Download Submit
C:\Users\Admin\AppData\Local\bes.ini

Filesize
22B

MD5
ad620f3a660910ea8ae5814944a79957

SHA1
63f2408e5b6502e9c37cc19b8e0f0184e96e5a98

SHA256
fd8b23de1d8a48cd9367756c3e437fe1eaf4e46c763af06e7b7d3d1f792570ba

SHA512
0f34487b3eb2debe31bd9bb5df227530ec73233876ebcfdd627c5177ed901ddf0186ba1b2a8a3d16df62dac28cb0acd5216fda0121328870350cac49a4ed542f

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
93KB

MD5
652e4229efd7bada4bd006ec4388d0f9

SHA1
e1b62be4637eed3ed038736226737990e0acdff0

SHA256
af37c70f971d37c976e6c5b76d8acb69571f50fe731a77598a95a6a3a1902c13

SHA512
3898f108fe429acf86148b1f6ce0e22c973ecd791d02464cf11a5e53c2d64b26bddeac0c956be11cb296047d754763c98b544051a3d1a3573bbaec26414cf48a

Download Submit
C:\Users\Admin\AppData\Local\usnscv.exe

Filesize
92KB

MD5
0e5ea9ea73a55783e6894946b2b24528

SHA1
064254ab302e277077298f9fe7478ca4f2e355ec

SHA256
849aa5e6e89d37ecdec4b53232d8931634ebe2c7b43e5fde74a38522238203a6

SHA512
80ad1977b50d60f26f191fbf2cdbe0f84b3b573f8bf6d0a5aa06d9512eac422dc49ae5e711d00c02c83fb8a78f3da3b8b3ed38144134da6e53b97f7eefa757b2

Download Submit
memory/1384-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1384-38-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3156-24-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-53-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-26-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3156-25-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-19-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-56-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-21-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/3156-55-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4872-10-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-22-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-7-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-5-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-4-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-16-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-9-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-3-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-11-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4872-18-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads