53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b

General

Target

53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
Size

695KB
MD5

71b06297acab518ae39c8326bd806a2c
SHA1

b43171b8d64b4e88d0adfe78288f9447dd720b3e
SHA256

53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b
SHA512

573fb16eef6e2428c3000a9f17f06809f3dd18a8957b97ab771186e47193b3f2da626280e6f4dd4a1eb30996eda16b1ab39035cb428cf6da385ff66a3a3194e9
SSDEEP

12288:8SVDIl99kFgUymfhCx6Joe7OWCDx1arKXloe7S:8SVMl9+FgxmfM0TIb2C+uS

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe

Executes dropped EXE 3 IoCs

pid	Process
3812	PFzwAAwNcHa.exe
3772	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-20-0x00000000007F0000-0x00000000007FB000-memory.dmp	upx
behavioral2/memory/2192-19-0x00000000007F0000-0x00000000007FB000-memory.dmp	upx
behavioral2/memory/2192-26-0x0000000004310000-0x000000000431B000-memory.dmp	upx
behavioral2/memory/2192-21-0x0000000004310000-0x000000000431B000-memory.dmp	upx
behavioral2/memory/2192-57-0x00000000007F0000-0x00000000007FB000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PFzwAAwNcHa.exe	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
File opened for modification	C:\Windows\SysWOW64\PFzwAAwNcHa.exe	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3820	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
3812	PFzwAAwNcHa.exe
3812	PFzwAAwNcHa.exe
3772	PFzwAAwNcHa.exe
3772	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	PFzwAAwNcHa.exe
Token: SeDebugPrivilege	2192	PFzwAAwNcHa.exe
Token: SeDebugPrivilege	2192	PFzwAAwNcHa.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
3812	PFzwAAwNcHa.exe
3812	PFzwAAwNcHa.exe
3772	PFzwAAwNcHa.exe
3772	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe
2192	PFzwAAwNcHa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3812	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	88
PID 1664 wrote to memory of 3812	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	88
PID 1664 wrote to memory of 3812	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	88
PID 3772 wrote to memory of 2192	3772	PFzwAAwNcHa.exe	96
PID 3772 wrote to memory of 2192	3772	PFzwAAwNcHa.exe	96
PID 3772 wrote to memory of 2192	3772	PFzwAAwNcHa.exe	96
PID 1664 wrote to memory of 2228	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	95
PID 1664 wrote to memory of 2228	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	95
PID 1664 wrote to memory of 2228	1664	53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe	95
PID 2228 wrote to memory of 3820	2228	cmd.exe	92
PID 2228 wrote to memory of 3820	2228	cmd.exe	92
PID 2228 wrote to memory of 3820	2228	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe
"C:\Users\Admin\AppData\Local\Temp\53c4b32a8a781731afe7c143495df6cb33c924fef94d5fcc540b2cc9c1ca6f2b.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\PFzwAAwNcHa.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228

C:\Windows\SysWOW64\PFzwAAwNcHa.exe
C:\Windows\SysWOW64\PFzwAAwNcHa.exe Service 1
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\PFzwAAwNcHa.exe
  -a1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2192

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- Runs ping.exe
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PFzwAAwNcHa.exe

Filesize
12KB

MD5
a07fc76430251c752ced823be03c2ec2

SHA1
3723fcfb1b222b1eef897642132c816ecd6ff4fb

SHA256
edcd47f6e3e38cefc7d32afa01703f4b8cef790c5748354bd8e1c0a3e9b990a4

SHA512
1f30300dad4f0e2b8d94d86d5eee36f3268d81d21544042056ee60626097b912da8fdbee42256cf6b88e2c5f814d4073bc54cf27916318d62e0382c30936723d

Download Submit
C:\Windows\SysWOW64\PFzwAAwNcHa.exe

Filesize
288KB

MD5
33970c15a61e33daa6a9666adfc644ad

SHA1
da8a784841915c0284b28e3a84004fb4e207cfe1

SHA256
3476aed06b84e72c29ec3f94c55d7bab031844055b13f22ed8d3c2298ff436e0

SHA512
6719f202f1067148d3850bad579dc056fae3b6e07742a4126972c8fd3c0e2c6af36394f1d0ecec3f2ef042245670c4a038ae10fff08a7cacea342ebff2e0ca48

Download Submit
C:\Windows\SysWOW64\PFzwAAwNcHa.exe

Filesize
57KB

MD5
c0f859412c1526b072bd9be68d381b06

SHA1
7ccae503410ffc987a3388942ecedd3953aa8462

SHA256
ba88212e955fc6a16c1c4385fabe28774266b3f20d9c2c4ed1360b0b7435e623

SHA512
b263443a318d0ebeb9652b5d4ebe776e93d543fb659c5fc60077898995c7f9432fd431825fe56606dad80a7f2dc684e16215aa234b5095c994fd2200c1c7f494

Download Submit
C:\Windows\SysWOW64\PFzwAAwNcHa.exe

Filesize
61KB

MD5
1ebb1581f7b6cdacdad5e525904ecfd0

SHA1
ffd9bb9690484039cbd5afa15cdadafaebcffd1f

SHA256
9cf6818026e5d943a400a298da4fa5dc7e445516b0346ac2d3bd6e1bc8b986a7

SHA512
e5339838a42a059a902ca60d0beb7593332ba2bc29f77b9790a29ac785cf566fa9668fc985eb3418d34b3d34f09a2aac78984fee9c35b1453f9a39dd5b122fcf

Download Submit
memory/1664-2-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/1664-1-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1664-0-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/1664-18-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/2192-28-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2192-22-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2192-57-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/2192-56-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2192-20-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/2192-19-0x00000000007F0000-0x00000000007FB000-memory.dmp

Filesize
44KB

Download
memory/2192-55-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/2192-32-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/2192-21-0x0000000004310000-0x000000000431B000-memory.dmp

Filesize
44KB

Download
memory/2192-30-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2192-26-0x0000000004310000-0x000000000431B000-memory.dmp

Filesize
44KB

Download
memory/2192-24-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3772-10-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/3772-12-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3772-11-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/3772-15-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/3812-8-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3812-7-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/3812-6-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/3812-17-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing