35e3aa85bd1d97eed8a682a6eed57007b040a1b0b67e2e13a97fc3f2d5be37a8

General

Target

0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
Size

440KB
MD5

0abcac168e9f57bfeaa19d1a0e5dbf9b
SHA1

d248545e0f652b13356a7f3671215f1bdbb8b874
SHA256

35e3aa85bd1d97eed8a682a6eed57007b040a1b0b67e2e13a97fc3f2d5be37a8
SHA512

91df5115f6e91e51b30bc2c4d6854f53fb15831e2e0c0badb803c2f0721ec7e92ce99f6d60eca93a136c2f3e802fad2a3435cbd06b3c9141ada752f5c1c230cf
SSDEEP

6144:5ZunObR8sVImcyYC5JvY5XlCdraWDgfjrfhartBI+zlbKvCB2txqWwKQ3GdYuxPZ:WK+mzMNE/Ds3fM20lHmYWwH3zuxPnIc

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe

Executes dropped EXE 3 IoCs

pid	Process
1092	loadwg.exe
4400	dxcyswg.exe
952	GTH60369.exe

Loads dropped DLL 2 IoCs

pid	Process
4400	dxcyswg.exe
952	GTH60369.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e7f9-14.dat	upx
behavioral2/memory/1092-20-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/files/0x000200000001e7fa-22.dat	upx
behavioral2/memory/4400-23-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1092-30-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral2/memory/4400-37-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1092-43-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1092-30-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe
behavioral2/memory/1092-43-0x0000000000400000-0x00000000004AC000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mmsfc1.dll	dxcyswg.exe
File created	C:\Windows\SysWOW64\comres.dll	dxcyswg.exe
File created	C:\Windows\SysWOW64\GTH60369.exe	dxcyswg.exe
File created	C:\Windows\SysWOW64\mmsfc1.dll	dxcyswg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fOnTs\comres.dll	dxcyswg.exe
File created	C:\Windows\fOnTs\GTH60369.ttf	dxcyswg.exe
File created	C:\Windows\fOnTs\GTH60369.fon	dxcyswg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4400	dxcyswg.exe
4400	dxcyswg.exe
952	GTH60369.exe
952	GTH60369.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1092	loadwg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	GTH60369.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1092	1692	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	100
PID 1692 wrote to memory of 1092	1692	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	100
PID 1692 wrote to memory of 1092	1692	0abcac168e9f57bfeaa19d1a0e5dbf9b.exe	100
PID 1092 wrote to memory of 4400	1092	loadwg.exe	104
PID 1092 wrote to memory of 4400	1092	loadwg.exe	104
PID 1092 wrote to memory of 4400	1092	loadwg.exe	104
PID 4400 wrote to memory of 952	4400	dxcyswg.exe	105
PID 4400 wrote to memory of 952	4400	dxcyswg.exe	105
PID 4400 wrote to memory of 952	4400	dxcyswg.exe	105

C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe
"C:\Users\Admin\AppData\Local\Temp\0abcac168e9f57bfeaa19d1a0e5dbf9b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
    dxcyswg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\GTH60369.exe
      C:\Windows\system32\GTH60369.exe C:\Windows\fOnTs\comres.dll dns C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dxcyswg.exe

Filesize
16KB

MD5
0d728917bfe5d5e43b9683733897e897

SHA1
bcd4babb6fe2dd167d9bd53795dddca2e07830b3

SHA256
91aca432b8b075f56591f9d868fa6164cbf6c85d91efb636757cc17035fc537a

SHA512
afdca009ed96686bcdc69129bc34e54360f9960533f38e618c50a6983bd740f1f946ddb086d360d617ae479cdd2870c0ca33ae163bf979b9628c7851264fd84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loadwg.exe

Filesize
333KB

MD5
5a74f1a22e11a717cff8bd4f6f18913d

SHA1
459db43f79a38a9d67aeb248328039eb6c77ac43

SHA256
0e32d8dbe4d9861956539fa69bc3475bedcf1d02f42807b651d2d699928c1d6a

SHA512
bee37a8e334329e4e4fb27f4b9850924aeb2a363d93c770af0dc61ac3b5794b5bf1fecf2978c1cd4a2a0d29a645b49bab78d219480680241792062493249ddaa

Download Submit
C:\Windows\SysWOW64\GTH60369.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\mmsfc1.dll

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\fOnTs\comres.dll

Filesize
12KB

MD5
500ed35dd00ab4d97149325645fdda56

SHA1
030821994984093e48acebce7faea6fff894bd39

SHA256
2aae8310f3e8560d5f672a690f49b073b037a2c6f43fc8207443f4194711573f

SHA512
666509f6f3f63fae83e777e9bf7050c1f3eaaeffa60d5a06d0d848cb635a2f7424859504fb93f6885554452be12e35efb1ced317335204b0996cf01dc8fdc33b

Download Submit
memory/952-41-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/1092-20-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-30-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1092-43-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1692-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1692-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1692-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4400-23-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4400-37-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing