768d050b8c295b3a5ac16a3ae37b2e2abec9c73bf89107da111afd8dbeb48a9d

General

Target

3a08dab82be7325f898589b449acbefc.exe
Size

1.1MB
MD5

3a08dab82be7325f898589b449acbefc
SHA1

23eaecf4f31e68ed0b3873f7781ed709ed27d932
SHA256

768d050b8c295b3a5ac16a3ae37b2e2abec9c73bf89107da111afd8dbeb48a9d
SHA512

23b17a5271ac6e3abab4b4e00471952588ec6d9b6065dc09b64682dd644b37ea3b3ff992605030e52471641175dd6709d3a5d1890ba8bd43b5203e0fc3d9e1e7
SSDEEP

24576:dQIBJnJ5j0IAkUlkMd1QFgWB8mrokB1Y0pJMCo1BZYDE0Ug+m5X:V95ILkUVGV7B1Y0pJMJ0DED0

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	3a08dab82be7325f898589b449acbefc.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	20342011.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20342011 = "C:\\ProgramData\\20342011\\20342011.exe"	3a08dab82be7325f898589b449acbefc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20342011 = "C:\\PROGRA~3\\20342011\\20342011.exe"	20342011.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5048	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5032	20342011.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe
5032	20342011.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1980	4028	3a08dab82be7325f898589b449acbefc.exe	90
PID 4028 wrote to memory of 1980	4028	3a08dab82be7325f898589b449acbefc.exe	90
PID 4028 wrote to memory of 1980	4028	3a08dab82be7325f898589b449acbefc.exe	90
PID 1980 wrote to memory of 5048	1980	cmd.exe	92
PID 1980 wrote to memory of 5048	1980	cmd.exe	92
PID 1980 wrote to memory of 5048	1980	cmd.exe	92
PID 1980 wrote to memory of 1444	1980	cmd.exe	94
PID 1980 wrote to memory of 1444	1980	cmd.exe	94
PID 1980 wrote to memory of 1444	1980	cmd.exe	94
PID 1444 wrote to memory of 5032	1444	cmd.exe	95
PID 1444 wrote to memory of 5032	1444	cmd.exe	95
PID 1444 wrote to memory of 5032	1444	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\3a08dab82be7325f898589b449acbefc.exe
"C:\Users\Admin\AppData\Local\Temp\3a08dab82be7325f898589b449acbefc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\20342011\20342011.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 3a08dab82be7325f898589b449acbefc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\20342011\20342011.exe /install
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\PROGRA~3\20342011\20342011.exe
      C:\PROGRA~3\20342011\20342011.exe /install
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\20342011\20342011.exe

Filesize
1.1MB

MD5
3a08dab82be7325f898589b449acbefc

SHA1
23eaecf4f31e68ed0b3873f7781ed709ed27d932

SHA256
768d050b8c295b3a5ac16a3ae37b2e2abec9c73bf89107da111afd8dbeb48a9d

SHA512
23b17a5271ac6e3abab4b4e00471952588ec6d9b6065dc09b64682dd644b37ea3b3ff992605030e52471641175dd6709d3a5d1890ba8bd43b5203e0fc3d9e1e7

Download Submit
C:\ProgramData\20342011\20342011.bat

Filesize
290B

MD5
95bd18b8c6ea1029d2a81d3383099d0e

SHA1
43202223e875ccb06f2c41cb9a7007bb95724fa7

SHA256
76d12690ee9c43fc348af60020b077642d301945168d2b8098541fc4ce59310e

SHA512
3625d9e49b007fcb03e69066f23accb105df79edd9ca14412ffe3ba1ed0b30cdfd8d8b8ff6e97c44695986d1f6e5da35b2355a2d7962e73ff48ccd9470910b75

Download Submit
C:\ProgramData\20342011\20342011.exe

Filesize
662KB

MD5
4d50d14d4762af3aabb705e5fa50ce37

SHA1
4ffa20a13611d54142903ab5caafb5c9b05a6d5b

SHA256
0a7d9b7993d39b0bbdfaa97f04cda3dc84830eb0b11596f420decce197c9cd8a

SHA512
c919560ca7939e1d04f17785c48aebf19e4c1d4eef4b0c4cb22820b53b56d978ea79b8be1cb506504e43845794ae7474991a1bcf1a9d19ef376c5befddc8855a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\in[1].php

Filesize
5B

MD5
fda44910deb1a460be4ac5d56d61d837

SHA1
f6d0c643351580307b2eaa6a7560e76965496bc7

SHA256
933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

SHA512
57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

Download Submit
memory/4028-1-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4028-2-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4028-3-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

Filesize
8KB

Download
memory/4028-4-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4028-9-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-21-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-32-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-18-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/5032-16-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5032-29-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-30-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/5032-31-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/5032-17-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/5032-35-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-36-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-15-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-40-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-43-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-44-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5032-47-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads