df673aec5df7bdf30ef6699d45abedf4d9e5081471528981223fd47b11068484

General

Target

2d5d90d503605ce6f9ac493d72680d19.exe
Size

99KB
MD5

2d5d90d503605ce6f9ac493d72680d19
SHA1

ecd80682ed4544fad3da63250b177f6ce04df7e3
SHA256

df673aec5df7bdf30ef6699d45abedf4d9e5081471528981223fd47b11068484
SHA512

66b01ff11887c613e261635525f2614a03308744d9de7a84398afc01a08e461bc599e062bd9c83ffb1b47a66fabd4e7e5576a4ad923a159ea004c2c2d8a37972
SSDEEP

1536:n2YnE4M0TMuE89bEKSnCn5mNRqRF1zyoK1EnNAiiRegbOC7:2YE4MmMuESoqn5yR4FVysm3EC7

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3192	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2d5d90d503605ce6f9ac493d72680d19.exe

Executes dropped EXE 1 IoCs

pid	Process
3092	be8b0230.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufat32 = "rundll32.exe ufat32.dll,ytus"	2d5d90d503605ce6f9ac493d72680d19.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\9543e975.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File created	C:\Windows\SysWOW64\c61bdd4d.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File opened for modification	C:\Windows\SysWOW64\c61bdd4d.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File created	C:\Windows\SysWOW64\ufat32.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File opened for modification	C:\Windows\SysWOW64\ufat32.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File created	C:\Windows\SysWOW64\8c58b05e.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File opened for modification	C:\Windows\SysWOW64\8c58b05e.dll	2d5d90d503605ce6f9ac493d72680d19.exe
File created	C:\Windows\SysWOW64\9543e975.dll	2d5d90d503605ce6f9ac493d72680d19.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3956	sc.exe
3384	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
3228	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3956	3936	2d5d90d503605ce6f9ac493d72680d19.exe	91
PID 3936 wrote to memory of 3956	3936	2d5d90d503605ce6f9ac493d72680d19.exe	91
PID 3936 wrote to memory of 3956	3936	2d5d90d503605ce6f9ac493d72680d19.exe	91
PID 3936 wrote to memory of 3384	3936	2d5d90d503605ce6f9ac493d72680d19.exe	93
PID 3936 wrote to memory of 3384	3936	2d5d90d503605ce6f9ac493d72680d19.exe	93
PID 3936 wrote to memory of 3384	3936	2d5d90d503605ce6f9ac493d72680d19.exe	93
PID 3936 wrote to memory of 3192	3936	2d5d90d503605ce6f9ac493d72680d19.exe	95
PID 3936 wrote to memory of 3192	3936	2d5d90d503605ce6f9ac493d72680d19.exe	95
PID 3936 wrote to memory of 3192	3936	2d5d90d503605ce6f9ac493d72680d19.exe	95
PID 3936 wrote to memory of 3092	3936	2d5d90d503605ce6f9ac493d72680d19.exe	99
PID 3936 wrote to memory of 3092	3936	2d5d90d503605ce6f9ac493d72680d19.exe	99
PID 3936 wrote to memory of 3092	3936	2d5d90d503605ce6f9ac493d72680d19.exe	99
PID 3092 wrote to memory of 3228	3092	be8b0230.exe	100
PID 3092 wrote to memory of 3228	3092	be8b0230.exe	100
PID 3092 wrote to memory of 3228	3092	be8b0230.exe	100

C:\Users\Admin\AppData\Local\Temp\2d5d90d503605ce6f9ac493d72680d19.exe
"C:\Users\Admin\AppData\Local\Temp\2d5d90d503605ce6f9ac493d72680d19.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create ufat32 type= share start= auto DisplayName= "FAT Utility DLL" group= "Event Log" binPath= "rundll32.exe C:\Windows\system32\ufat32.dll,ytus"
  2⤵
  - Launches sc.exe
  PID:3956
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description ufat32 "FAT Utility DLL"
  2⤵
  - Launches sc.exe
  PID:3384
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe firewall add portopening TCP 1616 messenger
  2⤵
  - Modifies Windows Firewall
  PID:3192
- C:\Users\Admin\AppData\Local\Temp\be8b0230.exe
  "C:\Users\Admin\AppData\Local\Temp\be8b0230.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe -s C:\ParaTemp.reg
    3⤵
    - Runs .reg file with regedit
    PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ParaTemp.reg

Filesize
165B

MD5
a4c2e8db757227a15a4218839aea3fd6

SHA1
0f98e0549c034c5f8ac2d89a39b4347df9330578

SHA256
36d55faef433946b20a9337da2a8529207fd992a280081c4467b8cd8bebc6200

SHA512
5f9adeb1517c07f5d3669095471ea79bddc7740ca3da729b8249c86f5303effd10daeb873b9e76462fc6fc61bbf3ae3124253ea36e7196cc81fd5937f28afe23

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8b0230.exe

Filesize
4KB

MD5
e6530213df7a3a99834341697287ec2f

SHA1
fc7de2d227e16766feb6b4ec5d480b55e53840aa

SHA256
a3e939fe85d84fd9a15a7e654b0334c29d22142ec91f9f9ef3bda8538b08991b

SHA512
5bdf1e3dc2ed0e13e1e22d4281dddbb9f8d54ea3d6225aaa3a8d9f56943e547baf2a5520db3355cb3441b3d85afbbc412208b60b1deaed26e8f67d7795371a88

Download Submit
memory/3092-17-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3092-21-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3936-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3936-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads