72809b8aea10c51a671cbc71c14eb406bd8d41901acbe11789c2a4285b8d21d9

General

Target

21720697197ad4dde61f63f81c03a10e.exe
Size

1016KB
MD5

21720697197ad4dde61f63f81c03a10e
SHA1

ddc59b7dff2817440b5333086230ff3fb19487d9
SHA256

72809b8aea10c51a671cbc71c14eb406bd8d41901acbe11789c2a4285b8d21d9
SHA512

66a5b5f63b6f9b7043a232027333d01f20cee0b85a5d1972e9913daf7efb1b478fa2031467e4458363024ae9c41ca49636c1f5916caec43997c95f9f4d9f12a5
SSDEEP

24576:dkVyCdYXwU5mm3K+NV4gBopyvucDDCazjSY:OV5Imm6+NV4gNVP

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	21720697197ad4dde61f63f81c03a10e.exe

Executes dropped EXE 1 IoCs

pid	Process
3300	84523628.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\84523628 = "C:\\ProgramData\\84523628\\84523628.exe"	21720697197ad4dde61f63f81c03a10e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\84523628 = "C:\\PROGRA~3\\84523628\\84523628.exe"	84523628.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3300	84523628.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe
3300	84523628.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3000	4800	21720697197ad4dde61f63f81c03a10e.exe	92
PID 4800 wrote to memory of 3000	4800	21720697197ad4dde61f63f81c03a10e.exe	92
PID 4800 wrote to memory of 3000	4800	21720697197ad4dde61f63f81c03a10e.exe	92
PID 3000 wrote to memory of 4860	3000	cmd.exe	93
PID 3000 wrote to memory of 4860	3000	cmd.exe	93
PID 3000 wrote to memory of 4860	3000	cmd.exe	93
PID 4860 wrote to memory of 3300	4860	cmd.exe	94
PID 4860 wrote to memory of 3300	4860	cmd.exe	94
PID 4860 wrote to memory of 3300	4860	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\21720697197ad4dde61f63f81c03a10e.exe
"C:\Users\Admin\AppData\Local\Temp\21720697197ad4dde61f63f81c03a10e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\84523628\84523628.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\84523628\84523628.exe /inst
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\PROGRA~3\84523628\84523628.exe
      C:\PROGRA~3\84523628\84523628.exe /inst
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\84523628\84523628.exe

Filesize
460KB

MD5
a898eab4d3892d445901eb53f4166c6f

SHA1
eec70e1fb9ec7278ad8f999580558cf9bf62f82b

SHA256
e23ae972a6076e9c6c79881c71eb5cd13bd367e791b4f9d29ea3fe93fce9834e

SHA512
84921cd9fbaeb94cdc8db1bb2e041b8c426a47500e14de2cc70cf22ea491dd6e3a19127f35f91863ad20cc95ae25a64685a603ee20535ea60c15e6246908f311

Download Submit
C:\ProgramData\84523628\84523628.bat

Filesize
233B

MD5
17be84d2950e0fdcab1aa609a0f04980

SHA1
4b26e0da72233d6d0ce831699382b553f3daac07

SHA256
7e43dd02722c996ee9af862ff05da0471df8ca4afa999b57d561ba57e1f0bec9

SHA512
655b4d0dd80254df051a13d44d43ce592be6f9036ab3c4ab1357ceb877e084830ed462ab109e1cc48d90dbb780ca33c197ed2ee2c0b305d81381a10aa3647e51

Download Submit
C:\ProgramData\84523628\84523628.exe

Filesize
453KB

MD5
decbe7b4e61c94d224f52d20ae8f76e2

SHA1
343395cdd9f55ddae27995ee83f5bb64852e1e65

SHA256
c4ea75a7d0de9bb4f390644b7fea55c75678f417c5070b6d1cf11fc078df7dfb

SHA512
fa70959f08149c8b218d7be1364ee881724c4ade49a4b89bdb932f5f2160e71730089a74d328a29c0ed22e4b0072a422c6324389692954f274054574082489ed

Download Submit
memory/3300-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-23-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3300-33-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-15-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-32-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-18-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3300-17-0x0000000000900000-0x0000000000902000-memory.dmp

Filesize
8KB

Download
memory/3300-16-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3300-31-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-24-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-25-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3300-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3300-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4800-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4800-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4800-2-0x0000000000730000-0x0000000000830000-memory.dmp

Filesize
1024KB

Download
memory/4800-3-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/4800-4-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads