0498e79ffc309b964c9f1860166d3f490763113834de66ef270542138b76c4cc

General

Target

276322009f25397cd905e6e1556d6a82.exe
Size

329KB
MD5

276322009f25397cd905e6e1556d6a82
SHA1

455fa30101bfe8bb68626e6f6fea1577c40bfbb1
SHA256

0498e79ffc309b964c9f1860166d3f490763113834de66ef270542138b76c4cc
SHA512

f9f8455236e49a7344b19298c863273520df2c5b883a853b0c758f5cb749e572558152917e4820e5dbb38c80874ab1531c6b8f1a7779520f5d7be058e8269125
SSDEEP

6144:ANskv0fTaA3SfgRpvEHPEFjxwjL6WvJjNCzWQmX7CLgDEi:207aVfgfMEnwXxjNCzWQYCLMEi

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	276322009f25397cd905e6e1556d6a82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	huaxia.exe

Executes dropped EXE 1 IoCs

pid	Process
1112	huaxia.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2264-0-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/files/0x000300000001f45f-5.dat	upx
behavioral2/memory/1112-7-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/2264-11-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/1112-12-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\huaxia.exe	276322009f25397cd905e6e1556d6a82.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	276322009f25397cd905e6e1556d6a82.exe
File opened for modification	C:\Windows\SysWOW64\huaxia.exe	huaxia.exe
File created	C:\Windows\SysWOW64\huaxia.exe	276322009f25397cd905e6e1556d6a82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 5048	2264	276322009f25397cd905e6e1556d6a82.exe	89
PID 2264 wrote to memory of 5048	2264	276322009f25397cd905e6e1556d6a82.exe	89
PID 2264 wrote to memory of 5048	2264	276322009f25397cd905e6e1556d6a82.exe	89
PID 5048 wrote to memory of 3040	5048	cmd.exe	91
PID 5048 wrote to memory of 3040	5048	cmd.exe	91
PID 5048 wrote to memory of 3040	5048	cmd.exe	91
PID 3040 wrote to memory of 1852	3040	net.exe	92
PID 3040 wrote to memory of 1852	3040	net.exe	92
PID 3040 wrote to memory of 1852	3040	net.exe	92
PID 2264 wrote to memory of 1112	2264	276322009f25397cd905e6e1556d6a82.exe	96
PID 2264 wrote to memory of 1112	2264	276322009f25397cd905e6e1556d6a82.exe	96
PID 2264 wrote to memory of 1112	2264	276322009f25397cd905e6e1556d6a82.exe	96
PID 2264 wrote to memory of 2120	2264	276322009f25397cd905e6e1556d6a82.exe	97
PID 2264 wrote to memory of 2120	2264	276322009f25397cd905e6e1556d6a82.exe	97
PID 2264 wrote to memory of 2120	2264	276322009f25397cd905e6e1556d6a82.exe	97
PID 1112 wrote to memory of 4744	1112	huaxia.exe	99
PID 1112 wrote to memory of 4744	1112	huaxia.exe	99
PID 1112 wrote to memory of 4744	1112	huaxia.exe	99
PID 4744 wrote to memory of 4476	4744	cmd.exe	101
PID 4744 wrote to memory of 4476	4744	cmd.exe	101
PID 4744 wrote to memory of 4476	4744	cmd.exe	101
PID 4476 wrote to memory of 2076	4476	net.exe	102
PID 4476 wrote to memory of 2076	4476	net.exe	102
PID 4476 wrote to memory of 2076	4476	net.exe	102

C:\Users\Admin\AppData\Local\Temp\276322009f25397cd905e6e1556d6a82.exe
"C:\Users\Admin\AppData\Local\Temp\276322009f25397cd905e6e1556d6a82.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:1852
- C:\Windows\SysWOW64\huaxia.exe
  C:\Windows\system32\huaxia.exe -NetSata
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\net.exe
      net stop sharedaccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:2076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
fc080e3fa5e0d5536ddcacecc9a3ae8d

SHA1
50cd58b794ad759ffc585400f87fd09857d26feb

SHA256
8b7938ebafd0815bd024aeb39e2ac4fb266380c094d01af1c3e0d560d5d16e21

SHA512
e3c9725cdcea527ee663024d7c824427a8b1e8918c47a2af82a14e0b6c6d64ef295d51fbbf92bc9a755cdc11eba3655c5f6b30b8e324658a16c136c977ed6d55

Download Submit
C:\Windows\SysWOW64\huaxia.exe

Filesize
329KB

MD5
276322009f25397cd905e6e1556d6a82

SHA1
455fa30101bfe8bb68626e6f6fea1577c40bfbb1

SHA256
0498e79ffc309b964c9f1860166d3f490763113834de66ef270542138b76c4cc

SHA512
f9f8455236e49a7344b19298c863273520df2c5b883a853b0c758f5cb749e572558152917e4820e5dbb38c80874ab1531c6b8f1a7779520f5d7be058e8269125

Download Submit
memory/1112-7-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1112-8-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1112-12-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2264-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2264-1-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2264-11-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing