7c77dfc4193baf07665f410ff1aa78658833300e172d2016c95e6b3765331344

General

Target

16190c451e52c9d33666f52c694d66e7.exe
Size

78KB
MD5

16190c451e52c9d33666f52c694d66e7
SHA1

6dc41230a9ca05bb57ba41672125f7949a1d5c46
SHA256

7c77dfc4193baf07665f410ff1aa78658833300e172d2016c95e6b3765331344
SHA512

bdcc0e1a6f89260c3e28598a59f3da9d64422bd9f906417d0a870ed5fc47b91b4e2e61037a7f7428b6db20c1f3b243c04ba000cc8421b5e39b9a72a12d725ee0
SSDEEP

1536:fKiYAF65m3jCPcVo6r7S/rab7tnouy8uOWPcVo6r7S/rabHnouy8aO:fKzAU5uh7cWbZoutb7cWbHout

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	16190c451e52c9d33666f52c694d66e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	color.exe

Executes dropped EXE 1 IoCs

pid	Process
1172	color.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e7de-19.dat	upx
behavioral2/files/0x000200000001e7df-22.dat	upx
behavioral2/memory/1172-37-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1172-43-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe gamma load = "C:\\ProgramData\\adob\\color.exe"	regedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1908	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
4328	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1020	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 4188	2216	16190c451e52c9d33666f52c694d66e7.exe	95
PID 2216 wrote to memory of 4188	2216	16190c451e52c9d33666f52c694d66e7.exe	95
PID 2216 wrote to memory of 4188	2216	16190c451e52c9d33666f52c694d66e7.exe	95
PID 4188 wrote to memory of 4328	4188	cmd.exe	98
PID 4188 wrote to memory of 4328	4188	cmd.exe	98
PID 4188 wrote to memory of 4328	4188	cmd.exe	98
PID 4188 wrote to memory of 1256	4188	cmd.exe	99
PID 4188 wrote to memory of 1256	4188	cmd.exe	99
PID 4188 wrote to memory of 1256	4188	cmd.exe	99
PID 1256 wrote to memory of 3804	1256	net.exe	100
PID 1256 wrote to memory of 3804	1256	net.exe	100
PID 1256 wrote to memory of 3804	1256	net.exe	100
PID 4188 wrote to memory of 1908	4188	cmd.exe	101
PID 4188 wrote to memory of 1908	4188	cmd.exe	101
PID 4188 wrote to memory of 1908	4188	cmd.exe	101
PID 4188 wrote to memory of 1172	4188	cmd.exe	102
PID 4188 wrote to memory of 1172	4188	cmd.exe	102
PID 4188 wrote to memory of 1172	4188	cmd.exe	102
PID 1172 wrote to memory of 4408	1172	color.exe	103
PID 1172 wrote to memory of 4408	1172	color.exe	103
PID 1172 wrote to memory of 4408	1172	color.exe	103
PID 4408 wrote to memory of 1020	4408	cmd.exe	105
PID 4408 wrote to memory of 1020	4408	cmd.exe	105
PID 4408 wrote to memory of 1020	4408	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\16190c451e52c9d33666f52c694d66e7.exe
"C:\Users\Admin\AppData\Local\Temp\16190c451e52c9d33666f52c694d66e7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF63.tmp\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s 123.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:4328
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1908
- - C:\ProgramData\adob\color.exe
    C:\ProgramData\adob\color.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9282.tmp\123.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 100
        5⤵
        Runs ping.exe
        
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9282.tmp\123.bat

Filesize
158B

MD5
ee8492b5b429e650b89048e92f4f9d68

SHA1
ce4e2b661350d086c05b4d61cefb111676a7cdb5

SHA256
df84b19075d92eccd37782734fd51d95f3b7c2a61380ccf5a701b902be6d95db

SHA512
c6238f2f30e8d6d665be44aba4495cfe320858dd46d0d97ed7b6468c3ec7708d188422b71b85c849114bf266b0680e24724703d8bb52b9e749677ba0050c9a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF63.tmp\1.bat

Filesize
109B

MD5
5fd25964e9b6f81ff172e80d1c7b6af4

SHA1
c2acded3847b8c8a4f373f48c7f0ea2f254c5080

SHA256
8471d34b6bc8fbb6e386d2c0a86b7815d93efbd25928d952ecaf316456a55ed4

SHA512
62fced5af86bc5c5766e3705226f1b79f1fde24c6506e0ba0531443c4691f511216430c25f4d71ba16323657b0111a0fbdcca4f298b82644f4d241676c08f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF63.tmp\123.reg

Filesize
332B

MD5
aaa5d717209daca5a9287d9d4f0cb454

SHA1
657dcb0af1436eaf1180f6d46f1476db23d9c573

SHA256
4ff88c295d89a746f96add13abc600f8c485ca5fce752bae377931b672b36023

SHA512
216e6d4fdc4dc53c2d811ce661bcf8dbee534e529b274cec4150fe7f62a64649838b51fa0d153d06231de793a4e6a6bde0e75ef5ad97b8eb8b3066382804ea9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF63.tmp\color.exe

Filesize
21KB

MD5
648666c2b3c6781b54f904ffdab14de3

SHA1
3a5e257d1e17b46e6bf649b23359b2f317815620

SHA256
6d742cca69f05e951c1e12d20007f58bb7a1e11e4981dd11a1948cc9edb98bb0

SHA512
fbec2b3532cc2d8b4362697f8bee39d92b64ac768fe57b1395d336f2cde6509e31a4e9679dc1e8bc95fb2a9fa0de7b79e21f257f4577fa2ccdf6fc48d7d4196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF63.tmp\copy.exe

Filesize
21KB

MD5
c1acc477923df9ebf4eab7484dcae003

SHA1
1b1575145dd37acb0540d75d50c34106f2e8a727

SHA256
f69a4dfb347bf285d238e57d896ac7ae4974d105b1fb20aa5f40655022a0a888

SHA512
1a58a41b00210517bedb68e4d6dd0bdf2f469ca30343a18c951a4b16d7db3b9951f60d52b4475899f0b8772a7b6e4d1c5962ecab424a3925ebb103784f40d6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BF63.tmp\stop.bat

Filesize
87B

MD5
7e62f6fa7ba08a845e69e30dc2e98b4c

SHA1
bcc455715430f023a91eed7558b9a1d2f54b4e4b

SHA256
811e3e5424be53ca7266b3bfe6300e6250086772cc7685848f910a0e92cb039f

SHA512
af35557f65c1c7562fa2e018cafbdbb9a77b92c75bcdf641e98eaeafab97b10e39fc8f42246f85a3fdb75c9cf3813dd813509842a0011b17e9fcaf4b35efa96a

Download Submit
memory/1172-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1172-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads