fe599748a5a699ce100ae1e163772ab2a63e55095c1d18a3b5b4415d9f22d9c1

General

Target

051226b142870d0d000b78c85a90e279.exe
Size

473KB
MD5

051226b142870d0d000b78c85a90e279
SHA1

7131bfec7bfc72f2c0f8e04351cbe139885f6392
SHA256

fe599748a5a699ce100ae1e163772ab2a63e55095c1d18a3b5b4415d9f22d9c1
SHA512

80ecc818276eea1a46c3102aa67217fa112cdf180b78b1b2f5f1bb7b04f6d18486ff929ad134b9d72abfcfe44014340863685219a311dba94db9c1b37c9818c4
SSDEEP

12288:oHSTbqfM75JIpPiWNjCM4AvT20UPNZBU+oFks:+SRjIpPiWstGKj1RoFk

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	051226b142870d0d000b78c85a90e279.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	Msngers.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Msngers = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Msngers.exe"	Msngers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1260	051226b142870d0d000b78c85a90e279.exe
1260	051226b142870d0d000b78c85a90e279.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1260	051226b142870d0d000b78c85a90e279.exe
1260	051226b142870d0d000b78c85a90e279.exe
1732	Msngers.exe
1732	Msngers.exe
1732	Msngers.exe
1732	Msngers.exe
1732	Msngers.exe
1732	Msngers.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1732	1260	051226b142870d0d000b78c85a90e279.exe	95
PID 1260 wrote to memory of 1732	1260	051226b142870d0d000b78c85a90e279.exe	95
PID 1260 wrote to memory of 1732	1260	051226b142870d0d000b78c85a90e279.exe	95
PID 1260 wrote to memory of 1404	1260	051226b142870d0d000b78c85a90e279.exe	96
PID 1260 wrote to memory of 1404	1260	051226b142870d0d000b78c85a90e279.exe	96
PID 1260 wrote to memory of 1404	1260	051226b142870d0d000b78c85a90e279.exe	96

C:\Users\Admin\AppData\Local\Temp\051226b142870d0d000b78c85a90e279.exe
"C:\Users\Admin\AppData\Local\Temp\051226b142870d0d000b78c85a90e279.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\Msngers.exe
  "C:\Users\Admin\AppData\Local\Temp\Msngers.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c deleteself.bat
  2⤵
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\Msngers.exe

Filesize
473KB

MD5
051226b142870d0d000b78c85a90e279

SHA1
7131bfec7bfc72f2c0f8e04351cbe139885f6392

SHA256
fe599748a5a699ce100ae1e163772ab2a63e55095c1d18a3b5b4415d9f22d9c1

SHA512
80ecc818276eea1a46c3102aa67217fa112cdf180b78b1b2f5f1bb7b04f6d18486ff929ad134b9d72abfcfe44014340863685219a311dba94db9c1b37c9818c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\deleteself.bat

Filesize
198B

MD5
cf1fc1ae815748f7063cc3e57ea5d61a

SHA1
d99c3ef41f9862cf98b860edcc2a6131f556516a

SHA256
1b6d7360afa2b1628e9b211b1600782a623a65d1783ff62958547daffaaef50c

SHA512
1325511587dd291648915669ba9481d303fc02abaeaccb77fcd44b61b2c3f3983d1948a971fd49cbc3dfb3dfcbb62e5e88fef9ddf832ec14b843edc2ecf611f9

Download Submit
memory/1260-18-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1260-0-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1260-19-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1260-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1260-10-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1260-2-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1732-16-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1732-20-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1732-23-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1732-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1732-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads