3a45b01c18a5f3786aeeec80eba3dbf41538f4dc492b0e175706c5bd59445b07

General

Target

08264961398cb55fd033908fe0cef6f6.exe
Size

1.1MB
MD5

08264961398cb55fd033908fe0cef6f6
SHA1

9dba566764909d30fd655a9c2de50103de54359a
SHA256

3a45b01c18a5f3786aeeec80eba3dbf41538f4dc492b0e175706c5bd59445b07
SHA512

36554339cc83371f62f718b54973ea61f7705ce5e01a29ce8bf363cacfeacba74c8f07fe328b576fe8ea63b5f9eadc1a06c33a54e615e42ec526926cbb427dab
SSDEEP

12288:8Ust0eLUkpjVIyvwkVaqROfnZZV+T04+7MFTQZ3vFIMDmtpoDK0n0QmFxf4piJkw:xstFNBgqRAm04EaeqNtpd3wN5aTRgut

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	08264961398cb55fd033908fe0cef6f6.exe

Executes dropped EXE 1 IoCs

pid	Process
1904	89352532.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023180-13.dat	upx
behavioral2/files/0x000d000000023180-12.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\89352532 = "C:\\ProgramData\\89352532\\89352532.exe"	08264961398cb55fd033908fe0cef6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\89352532 = "C:\\PROGRA~3\\89352532\\89352532.exe"	89352532.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4300	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1904	89352532.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe
1904	89352532.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4704	4852	08264961398cb55fd033908fe0cef6f6.exe	97
PID 4852 wrote to memory of 4704	4852	08264961398cb55fd033908fe0cef6f6.exe	97
PID 4852 wrote to memory of 4704	4852	08264961398cb55fd033908fe0cef6f6.exe	97
PID 4704 wrote to memory of 4300	4704	cmd.exe	90
PID 4704 wrote to memory of 4300	4704	cmd.exe	90
PID 4704 wrote to memory of 4300	4704	cmd.exe	90
PID 4704 wrote to memory of 628	4704	cmd.exe	94
PID 4704 wrote to memory of 628	4704	cmd.exe	94
PID 4704 wrote to memory of 628	4704	cmd.exe	94
PID 628 wrote to memory of 1904	628	cmd.exe	93
PID 628 wrote to memory of 1904	628	cmd.exe	93
PID 628 wrote to memory of 1904	628	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\08264961398cb55fd033908fe0cef6f6.exe
"C:\Users\Admin\AppData\Local\Temp\08264961398cb55fd033908fe0cef6f6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\89352532\89352532.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 08264961398cb55fd033908fe0cef6f6.exe /f
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\PROGRA~3\89352532\89352532.exe
C:\PROGRA~3\89352532\89352532.exe /install
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start C:\PROGRA~3\89352532\89352532.exe /install
1⤵
- Suspicious use of WriteProcessMemory
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\89352532\89352532.exe

Filesize
384KB

MD5
e4e63b2bae4f43c0efe57bfdbc33c20d

SHA1
5271b6a96abbe936f957e291d431becc179e22b9

SHA256
bf387564fe08bc95ff8c006e121508d25dffdb1a09079835c416004bd9a10759

SHA512
4782d590e9a8bbbce7705aa349391fe575a6e41bd36a44c101882bb39b157efb94ac449914edebe2c0a7928671f1291715de5430a60bd518bf23622d3dbe87e7

Download Submit
C:\ProgramData\89352532\89352532.bat

Filesize
290B

MD5
5fe2653138cfb3171bb67e517a18e7d5

SHA1
16602e0d2596849c60e6159aee9e335adff6da7d

SHA256
689889a77a30d97681b61a38b77395f45f9df4f99d12fe5e6cf57be488c44891

SHA512
5ca358165fc69cf9639a5c0be334725aa8abcf4ca505cdaacc460a43ec052b69d3f5924c86c52ca1db78c740622739279374223b37e4e1f6e4cfdbb7ab08ec5a

Download Submit
C:\ProgramData\89352532\89352532.exe

Filesize
382KB

MD5
665bba361f8e92a82da454f36ec31a37

SHA1
b58f635407e3e377a510e4ebb07eeb7e38c9bfb7

SHA256
a87b87d685d15b925e893235cc883f3f785dbf3e3196059e2af6557637dfac8b

SHA512
095aeffdde9621fd7331c237130a1f65d857cb5e5fdadc98cc79897f6606332f53e5c4352a42769e0388dc1cabc8ef2d15382cd2719470d43c0794dfc988377c

Download Submit
memory/1904-21-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-23-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1904-34-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-33-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-17-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/1904-18-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1904-16-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/1904-15-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-32-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-31-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-30-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-24-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-25-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1904-26-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-27-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/1904-28-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4852-9-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4852-1-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/4852-2-0x0000000000830000-0x0000000000930000-memory.dmp

Filesize
1024KB

Download
memory/4852-4-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4852-3-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads