eecd0c3ecc0098784090692a619ddf39b75fb9dd5d9143722e62294096534948

General

Target

041446924f9462d185ce680cfe40b1cd.exe
Size

711KB
MD5

041446924f9462d185ce680cfe40b1cd
SHA1

ab5d1b015016e8ebf1024ef30c9a1fc3300d8423
SHA256

eecd0c3ecc0098784090692a619ddf39b75fb9dd5d9143722e62294096534948
SHA512

fbc25524652d3deccb3f6fef6a7d3db55c3f71de3ddd0a6a3180a7917ad56d309ffc356327a5221e00d724b212185168e719f7af03aed55ec2378cefe45dfcc5
SSDEEP

12288:hLshYUaIY8DeY4IqRZLRfaflAZlAD/xUNnCD/pTZFQP+bXStj0DQv63Ws6:hLWBY8SQqbFfamZaDZCsNG2bxi26

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	SFSFABB.tmp

Executes dropped EXE 2 IoCs

pid	Process
868	SFSFA5E.tmp
5104	SFSFABB.tmp

Loads dropped DLL 1 IoCs

pid	Process
5104	SFSFABB.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Invocation\uninstal.exe	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\uninstal.ini	SFSFABB.tmp
File created	C:\Program Files (x86)\Invocation\Motepad.exe	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\invocation.txt	SFSFABB.tmp
File created	C:\Program Files (x86)\Invocation\invocation.txt	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\readthis.txt	SFSFABB.tmp
File created	C:\Program Files (x86)\Invocation\readthis.txt	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\Motepad.exe	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\temple.EXE	SFSFABB.tmp
File created	C:\Program Files (x86)\Invocation\temple.EXE	SFSFABB.tmp
File opened for modification	C:\Program Files (x86)\Invocation\uninstal.exe	SFSFABB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	SFSFABB.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 868	984	041446924f9462d185ce680cfe40b1cd.exe	88
PID 984 wrote to memory of 868	984	041446924f9462d185ce680cfe40b1cd.exe	88
PID 984 wrote to memory of 868	984	041446924f9462d185ce680cfe40b1cd.exe	88
PID 868 wrote to memory of 5104	868	SFSFA5E.tmp	89
PID 868 wrote to memory of 5104	868	SFSFA5E.tmp	89
PID 868 wrote to memory of 5104	868	SFSFA5E.tmp	89
PID 5104 wrote to memory of 2740	5104	SFSFABB.tmp	98
PID 5104 wrote to memory of 2740	5104	SFSFABB.tmp	98
PID 5104 wrote to memory of 2740	5104	SFSFABB.tmp	98

C:\Users\Admin\AppData\Local\Temp\041446924f9462d185ce680cfe40b1cd.exe
"C:\Users\Admin\AppData\Local\Temp\041446924f9462d185ce680cfe40b1cd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\SFSFA5E.tmp
  "C:\Users\Admin\AppData\Local\Temp\SFSFA5E.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\SFSFABB.tmp
    "C:\Users\Admin\AppData\Local\Temp\SFSFABB.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Invocation\readthis.txt
      4⤵
      PID:2740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Invocation\readthis.txt

Filesize
3KB

MD5
3ec73de0d9ccd489ff9e8e463eb50b06

SHA1
3e7a6920733c523e408a1502645a2d025e59e08b

SHA256
a115cec0018c94011fb1715356a92bd78486055eddbb5ae04a1c7fd450a81f4c

SHA512
c989fa522febe7cc55667c33b0f01663683c826dcd9879fffdcea999d27c6e65e70e1971ab5b28d5cd01745f204f4488551dcaed764194a8a159a0c692dda02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFSFA5E.tmp

Filesize
691KB

MD5
96de23fddcb50155dcc6345f4c21a6db

SHA1
dd6762249dcaf8a82394c880eef25971ff260fc0

SHA256
bf2f2d497a8ae8a23dc99fbd17be02f5adc20d9682878e8e0811418bef80bfb0

SHA512
92f07ce42784cab4819cf1b833fbb3b6ab8ec0e206966efed5c3d29eb9f2ca364d413c3b357a108c2092de210aeb1704214f5bd21c0f0eaf3cec4dac33bc767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFSFABB.tmp

Filesize
641KB

MD5
d7a6ea49b6bd395c2d28ad4518a0133f

SHA1
842c1515d37d0b51eb64d9cdf659228e95112959

SHA256
dbfee2fcfec4306669a7a83491acd39fc93a74b888ac337ce25f06cba1985d01

SHA512
5083028b35c9668327d132fddab9884934e544674cec3a234e8a66c37af5a7cf4fcb5b3b97f7a910be0330a1fff94b2f629f50863b52971d0c28b7928345074b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFSFABB.tmp

Filesize
547KB

MD5
efd23f7b06b28897b3628bfcf94181e4

SHA1
e8dd03d2df56448235e2d9b77514e6dbc4d8562a

SHA256
e4c5b72171f710b7c90f6ca9af174a923569040f694fcbd2e8e256bd972617d9

SHA512
c7556533ab47b6c35239c9739c2da8e1c7cb33d2f746f1cd0dcc60c76db0cfdc2552fc42053be8ca00376c630090bfdca9d3a4ad050266a1ad34d30f4ed56278

Download Submit
C:\ginstall.dll

Filesize
47KB

MD5
0106ee9288f3bd406d934355299bfd0b

SHA1
44e5388143b3418c6e37d51287ba30e4688a8c36

SHA256
cea6bf17298d0f7210c4cde5224e9400e1b180e644e4ef1b03d453990170bf3a

SHA512
61487829835c1ee81cd310c2a4be1e0e51703ee7235b40c46eb2397520c2d44fe9636d5f8db0d9c88e41974d34263c37ce98647f3f43fd96ec3e4d450dd86387

Download Submit

Analysis

Sharing