976faa461466714f516e4a1f9d8a565500e1fb74d7cd0831b1a392ae734f51f6

General

Target

0400e13ad07fd736415c0b15d5c21059.exe
Size

1.1MB
MD5

0400e13ad07fd736415c0b15d5c21059
SHA1

9fdc383f1b9fcd3d53c5e426590c8e709cb05207
SHA256

976faa461466714f516e4a1f9d8a565500e1fb74d7cd0831b1a392ae734f51f6
SHA512

ddcd34bb2916d0399a71beaa7894f36f5b031ebc8ec2ea04b15f37205d4bf8f985b8ca4d8099511daeead7a373edb28ca14c8e4207efdd5f509c1db11600589a
SSDEEP

12288:0DzCULENhswjFtLYFRMvw7PfugKIkyOhwmcF/Tw+3WFbJaLpgpEcTpSm2Wf9X8c8:tPswjFtL6lvChOenjjSmJN8g+TBTyv

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	0400e13ad07fd736415c0b15d5c21059.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	52756227.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002321a-13.dat	upx
behavioral2/files/0x000700000002321a-12.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\52756227 = "C:\\ProgramData\\52756227\\52756227.exe"	0400e13ad07fd736415c0b15d5c21059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\52756227 = "C:\\PROGRA~3\\52756227\\52756227.exe"	52756227.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2228	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	52756227.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe
1916	52756227.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 3748	2572	0400e13ad07fd736415c0b15d5c21059.exe	87
PID 2572 wrote to memory of 3748	2572	0400e13ad07fd736415c0b15d5c21059.exe	87
PID 2572 wrote to memory of 3748	2572	0400e13ad07fd736415c0b15d5c21059.exe	87
PID 3748 wrote to memory of 2228	3748	cmd.exe	90
PID 3748 wrote to memory of 2228	3748	cmd.exe	90
PID 3748 wrote to memory of 2228	3748	cmd.exe	90
PID 3748 wrote to memory of 3200	3748	cmd.exe	93
PID 3748 wrote to memory of 3200	3748	cmd.exe	93
PID 3748 wrote to memory of 3200	3748	cmd.exe	93
PID 3200 wrote to memory of 1916	3200	cmd.exe	94
PID 3200 wrote to memory of 1916	3200	cmd.exe	94
PID 3200 wrote to memory of 1916	3200	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\0400e13ad07fd736415c0b15d5c21059.exe
"C:\Users\Admin\AppData\Local\Temp\0400e13ad07fd736415c0b15d5c21059.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\52756227\52756227.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 0400e13ad07fd736415c0b15d5c21059.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\52756227\52756227.exe /install
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\PROGRA~3\52756227\52756227.exe
      C:\PROGRA~3\52756227\52756227.exe /install
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\52756227\52756227.exe

Filesize
800KB

MD5
3c69001eee0ee7c9a952537edf66e255

SHA1
091458cbc764837bd39cc822d86fe3a1676008f7

SHA256
4efbbcb94fd57f586183f789724a1ed86720167649d3799a7b497265494f3574

SHA512
959615538ebb4f2d716f8eb1ae5331a9c8433d956c8b59a6c54b6d7a6b44f26e055f4a98136776e0c991fa999131150710ae9e9240534df2035acebc1d395f5a

Download Submit
C:\ProgramData\52756227\52756227.bat

Filesize
290B

MD5
8847e3ef4312cf024670b9a285de1f57

SHA1
407d0bef185b1dc72e46167de50dfacfb2eddf4b

SHA256
9bf70c7b6d01610b5aae94833ee392b0e2e01da31f346dc86d027d97368ac774

SHA512
75fd0f069ad628c824df2156a6f8d7143a5e52ccaa861a045c83ab016f7f792987cfc65bece5d55dde200a85dc0da03b9873d0e1bab4701c7fa56e8580cf60f0

Download Submit
C:\ProgramData\52756227\52756227.exe

Filesize
655KB

MD5
7163e91719f27b846ff3e1d579cafdcf

SHA1
6afefc8c49c9bc69c43e027f6eb33069e23ace88

SHA256
14ac88a64fbd364d4e5d83f26dbc14407e483badb9338a5ae736e069b30c61c3

SHA512
bff0d292cb4a768168963cd5bac5567adca9e99430575dbe7136e4ff99ec2abca3fa287ee71130f451302cb54e392adceac92012f2f62a52d63d5a47f541e0f1

Download Submit
memory/1916-21-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-23-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/1916-34-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-33-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-32-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-15-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-16-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/1916-17-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1916-18-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1916-31-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-29-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-24-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-25-0x0000000000730000-0x0000000000732000-memory.dmp

Filesize
8KB

Download
memory/1916-26-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1916-27-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1916-28-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2572-9-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2572-1-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2572-2-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2572-3-0x0000000000840000-0x0000000000842000-memory.dmp

Filesize
8KB

Download
memory/2572-4-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads