1bfe580922eaed55bfd8cbeec6364c856494b68dffa31885f722a6d25fe5e2cc

General

Target

2bd2a7ed6a18cb00faaed2073664b70e.exe
Size

822KB
MD5

2bd2a7ed6a18cb00faaed2073664b70e
SHA1

d96a10403fb4bf82c9efb98ae5ff1c3b5ad21ecc
SHA256

1bfe580922eaed55bfd8cbeec6364c856494b68dffa31885f722a6d25fe5e2cc
SHA512

92946a73d06b2e8d7e3cd264fe4e1cec62db1e775c1762839cdbed3b9355e41e09e26e95c5ba2392c7fc8b8aa61e7177ed7a6fcc081e3dda3bc973c6f18dcad1
SSDEEP

24576:4k7gDZdQksGFLk0HIAxo8yE1/+Pvc13ekr:4kkQksGxk0Ht2ncskr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2bd2a7ed6a18cb00faaed2073664b70e.exe

Executes dropped EXE 3 IoCs

pid	Process
5108	COUNT.EXE
752	COUNT.EXE
3116	SC-KEYLOG V2.24.EXE

Loads dropped DLL 3 IoCs

pid	Process
3116	SC-KEYLOG V2.24.EXE
3116	SC-KEYLOG V2.24.EXE
3116	SC-KEYLOG V2.24.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	SC-KEYLOG V2.24.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 752	5108	COUNT.EXE	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	752	WerFault.exe	91

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 5108	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	90
PID 3716 wrote to memory of 5108	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	90
PID 3716 wrote to memory of 5108	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	90
PID 5108 wrote to memory of 752	5108	COUNT.EXE	91
PID 5108 wrote to memory of 752	5108	COUNT.EXE	91
PID 5108 wrote to memory of 752	5108	COUNT.EXE	91
PID 5108 wrote to memory of 752	5108	COUNT.EXE	91
PID 5108 wrote to memory of 752	5108	COUNT.EXE	91
PID 3716 wrote to memory of 3116	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	93
PID 3716 wrote to memory of 3116	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	93
PID 3716 wrote to memory of 3116	3716	2bd2a7ed6a18cb00faaed2073664b70e.exe	93

C:\Users\Admin\AppData\Local\Temp\2bd2a7ed6a18cb00faaed2073664b70e.exe
"C:\Users\Admin\AppData\Local\Temp\2bd2a7ed6a18cb00faaed2073664b70e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\COUNT.EXE
  "C:\Users\Admin\AppData\Local\Temp\COUNT.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\COUNT.EXE
    C:\Users\Admin\AppData\Local\Temp\COUNT.EXE
    3⤵
    - Executes dropped EXE
    PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 456
      4⤵
      Program crash
      PID:4816
- C:\Users\Admin\AppData\Local\Temp\SC-KEYLOG V2.24.EXE
  "C:\Users\Admin\AppData\Local\Temp\SC-KEYLOG V2.24.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 752 -ip 752
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COUNT.EXE

Filesize
28KB

MD5
cba9bc8506d491b219fafc9e1cea2be3

SHA1
10458ee27bf2e13d25f0bac120fb69918594edf4

SHA256
bfbfb25437bedd795a5320ae86e329d1aebbd536054baf8ab2c70138af7f00ac

SHA512
9d4521ad2b73b541bd21436ce69832beb57b80019e8b4ff7184427e274ebfbe5bd5dca97d4112bc31240041dd28e2e6bca1f075b94ec942e1dd0a351dcb8815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC8388.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK83C7.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC-KEYLOG V2.24.EXE

Filesize
305KB

MD5
7a59bb498e828038c12f6752e41ac243

SHA1
fd119cd2958fc18fe063f475fca278f5146a126f

SHA256
622d74da42924756267a99562744ba667ca22d5407b0f99c64c13636f2caaa33

SHA512
897421b5e5a8f488f66211d85a07c3683f43226ca0dc909c566ae694cba2085c688cc74f302a0f6585e311d1cb7090d06b266f2a27f94176395a2a22111552a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC-KEYLOG V2.24.EXE

Filesize
245KB

MD5
1d9d4ee6f28803d640e9a0c66f6f421b

SHA1
4b5666b5f967c3b6fa3b87e926b1473794f4e2c6

SHA256
9b133022da43cb1f592cb4572577c22f61b9a8e7ad34fa2a08ff90d22fc82ceb

SHA512
06ef2072c2639451d7155e094543ade65394cb682541ce608e6cada5867bef6b6031faf4ef32334fbfd3d83aaeb277462ff1bbddb5d7c89969c8072d7e31105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC-KEYLOG V2.24.EXE

Filesize
204KB

MD5
e3b593109b4fafa4da0136c00d877aa9

SHA1
ee068ba985e9fdfbaa6c1f73880bb75738539c8f

SHA256
f7118e4f357488c774ced4755913aadd79531d6e41f316f339bfa36c83744dd7

SHA512
979fa775064166166a24da54ed847cd2311fd70b3b79d698717b3e68254b7e5ade987ac6919f1b7880654c4238bbc9c76f97db6502f0a148bc7a945dae6df54e

Download Submit
memory/752-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/752-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/752-23-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/752-36-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3716-25-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/5108-14-0x0000000019000000-0x000000001900E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing