a2e97424599065a0b2f1c25f3881d0f42ba7abd4750ab6b682fb524a3834eaec

General

Target

093e57286e10c4e666db46cd80e83c20.exe
Size

27KB
MD5

093e57286e10c4e666db46cd80e83c20
SHA1

f9eceb549e7c6f3609da0f354b65c9b5eb68d0dc
SHA256

a2e97424599065a0b2f1c25f3881d0f42ba7abd4750ab6b682fb524a3834eaec
SHA512

ca362631cf58b3f0ee082a67c57c6097aca4a1e8e2f4039b1fcf60202a1429086516ed2797b4e5a56c7d816ef4ef23939ca14d114fbf9dcefe581f87be64d0c2
SSDEEP

768:81BcNG1uZNMVPUNHDejyRnFm0/TKKodowr:8GpHMKlnUuydo8

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\mscheck = "rundll32.exe C:\\Windows\\system32\\wincheck071204.dll mymain"	wincheck071204.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	wincheck071204.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	093e57286e10c4e666db46cd80e83c20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	wincheck071204.exe

Loads dropped DLL 1 IoCs

pid	Process
4900	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wincheck071204.exe	093e57286e10c4e666db46cd80e83c20.exe
File opened for modification	C:\Windows\SysWOW64\wincheck071204.exe	093e57286e10c4e666db46cd80e83c20.exe
File created	C:\Windows\SysWOW64\wincheck071204.dll	093e57286e10c4e666db46cd80e83c20.exe
File opened for modification	C:\Windows\SysWOW64\wincheck071204.dll	093e57286e10c4e666db46cd80e83c20.exe
File opened for modification	C:\Windows\SysWOW64\wcheck.dll	wincheck071204.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\checkcj.ini	093e57286e10c4e666db46cd80e83c20.exe
File opened for modification	C:\Windows\checkcj.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5012	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4608	093e57286e10c4e666db46cd80e83c20.exe
4608	093e57286e10c4e666db46cd80e83c20.exe
4608	093e57286e10c4e666db46cd80e83c20.exe
4608	093e57286e10c4e666db46cd80e83c20.exe
2868	wincheck071204.exe
2868	wincheck071204.exe
2868	wincheck071204.exe
2868	wincheck071204.exe
2868	wincheck071204.exe
2868	wincheck071204.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	093e57286e10c4e666db46cd80e83c20.exe
Token: SeDebugPrivilege	4608	093e57286e10c4e666db46cd80e83c20.exe
Token: SeDebugPrivilege	2868	wincheck071204.exe
Token: SeDebugPrivilege	2868	wincheck071204.exe
Token: SeDebugPrivilege	2868	wincheck071204.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4900	4608	093e57286e10c4e666db46cd80e83c20.exe	90
PID 4608 wrote to memory of 4900	4608	093e57286e10c4e666db46cd80e83c20.exe	90
PID 4608 wrote to memory of 4900	4608	093e57286e10c4e666db46cd80e83c20.exe	90
PID 4608 wrote to memory of 5032	4608	093e57286e10c4e666db46cd80e83c20.exe	97
PID 4608 wrote to memory of 5032	4608	093e57286e10c4e666db46cd80e83c20.exe	97
PID 4608 wrote to memory of 5032	4608	093e57286e10c4e666db46cd80e83c20.exe	97
PID 5032 wrote to memory of 5012	5032	cmd.exe	99
PID 5032 wrote to memory of 5012	5032	cmd.exe	99
PID 5032 wrote to memory of 5012	5032	cmd.exe	99
PID 4900 wrote to memory of 5072	4900	rundll32.exe	105
PID 4900 wrote to memory of 5072	4900	rundll32.exe	105
PID 4900 wrote to memory of 5072	4900	rundll32.exe	105
PID 5072 wrote to memory of 2868	5072	cmd.exe	107
PID 5072 wrote to memory of 2868	5072	cmd.exe	107
PID 5072 wrote to memory of 2868	5072	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\093e57286e10c4e666db46cd80e83c20.exe
"C:\Users\Admin\AppData\Local\Temp\093e57286e10c4e666db46cd80e83c20.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\wincheck071204.dll" mymain
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\mycjjk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\wincheck071204.exe
      "C:\Windows\system32\wincheck071204.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\jkDelme.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wincheck071204.dll

Filesize
26KB

MD5
43e732a7c10d90e3f6fbd9f044328243

SHA1
1fa4637d03961d8e0826db95621e0b7e3ed4da46

SHA256
a8110f6a8fdc87c0194fce073aa35e70be5eaf9e5e68a55892e7b186bb11aa8d

SHA512
c6393818328ca372247b5a8e2624a89a77006b76321bb09b4129443ddd5ec17ab4184d1d64b9fcb489739f648a5582e78a60ee1a1cb404946bff917eccfcc5d9

Download Submit
C:\Windows\SysWOW64\wincheck071204.exe

Filesize
27KB

MD5
093e57286e10c4e666db46cd80e83c20

SHA1
f9eceb549e7c6f3609da0f354b65c9b5eb68d0dc

SHA256
a2e97424599065a0b2f1c25f3881d0f42ba7abd4750ab6b682fb524a3834eaec

SHA512
ca362631cf58b3f0ee082a67c57c6097aca4a1e8e2f4039b1fcf60202a1429086516ed2797b4e5a56c7d816ef4ef23939ca14d114fbf9dcefe581f87be64d0c2

Download Submit
C:\Windows\checkcj.ini

Filesize
141B

MD5
5c02dda9158ab4f4591ecbaaf01fe03a

SHA1
e0dabe014997b6efb82dab37562247e8a4f9360b

SHA256
60f20e446c263cde265c4d78858daaf31fd61ccab7ea11693592cd7a0bc4afeb

SHA512
c04ef5bb2ddc9c177e8337fe5a3199635bfd3c9ac66e2215e7cc261edf482d5db0bea0dee820e65b310b8bad9b0f16a5e01858a47250c21701c2daf3d8709a38

Download Submit
C:\Windows\checkcj.ini

Filesize
140B

MD5
505a8baf20d70f2264f437da46b90407

SHA1
b833a22f5f64c85e25fe3079268cb6bc3da671bc

SHA256
0a477c771b3aa9da7926a9904279de04ba727b44e5e788687e3ebe5c751b341e

SHA512
4fdb8b7050f82215383cbc77c5339cd81ffc470af64fdeda2e686a9be285d5084ccdf77477249c9ae5fbd54a3ccfc98bc57535d18f3f0192465ec5387af3c025

Download Submit
C:\jkDelme.bat

Filesize
205B

MD5
b9685d9b72dfcb98504d42d9cb71c751

SHA1
c63628390425622a422be9a1d3e58dbf02fb4389

SHA256
2aedf9922c0ca7fd2692ed1fc30d3ee6b8ea295ff84744ee8d88d668c5853b48

SHA512
2f399b7e6a0c52bbd19cbf9fc051a73063536f962fc74273597bed2bd76884634a79aa11fd34471a5de133f9794faa94e7544ce84d286012ba2ea29ab64d1c02

Download Submit
C:\mycjjk.bat

Filesize
52B

MD5
7613c54d05351d0110cab1e8f50e00d3

SHA1
e206b93cce28ec853f13152199064a0ef87d375b

SHA256
3951680106e4f5df715cd90f2911f66b6bac82fea2de68e6074d541b6310652b

SHA512
3015531529cd8989cf94cfc940471ce221d6a65494cb442f45e36dbd553326f412397db64fbb2abb54acf681662572b82cb99c909dc7a4d5083d95883a0e25e0

Download Submit
memory/4900-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4900-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4900-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads