bd284862b9c40907cb8e8fcc25122dbb95066ccfce453d9244a44e102a45ff26

General

Target

3bb0f7d1717c35600768f7d561a314a8.exe
Size

2.3MB
MD5

3bb0f7d1717c35600768f7d561a314a8
SHA1

49c73c3f6cda798fef0bde61c3a8480d0a7c8a79
SHA256

bd284862b9c40907cb8e8fcc25122dbb95066ccfce453d9244a44e102a45ff26
SHA512

05a266dad80b4717429c995f96f0ed76c319e99c62a732d628a3c0708fd825b696ac4564716cca17c27bb7f12ea4a59302fe939b1557a8d693c6f2e7c63ce06a
SSDEEP

24576:J7FosV8/Q8z9Gh8jyQ3s1smCkv6oqpumCkv6Pu4/QJQHCkv6oqpumCkv6PurCkx:8/p9GijymsepA66pA6m4/erA66pA6m+g

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mvdm.sys\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\mvdm.sys"	xzisy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	xzisy.exe

Executes dropped EXE 1 IoCs

pid	Process
952	xzisy.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2560-0-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2560-1-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2560-4-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/files/0x000200000001e7df-6.dat	upx
behavioral2/memory/952-8-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2560-10-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/2560-13-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/952-14-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/952-18-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/952-22-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral2/memory/952-33-0x0000000000400000-0x00000000004FF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
952	xzisy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	xzisy.exe
Token: SeLoadDriverPrivilege	952	xzisy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	xzisy.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
952	xzisy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
952	xzisy.exe
952	xzisy.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 952	2560	3bb0f7d1717c35600768f7d561a314a8.exe	91
PID 2560 wrote to memory of 952	2560	3bb0f7d1717c35600768f7d561a314a8.exe	91
PID 2560 wrote to memory of 952	2560	3bb0f7d1717c35600768f7d561a314a8.exe	91
PID 952 wrote to memory of 2908	952	xzisy.exe	96
PID 952 wrote to memory of 2908	952	xzisy.exe	96
PID 952 wrote to memory of 2908	952	xzisy.exe	96

C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe
"C:\Users\Admin\AppData\Local\Temp\3bb0f7d1717c35600768f7d561a314a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\xzisy.exe
  C:\Users\Admin\AppData\Local\Temp\xzisy.exe -run
  2⤵
  - Sets service image path in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xzisy.bat" "
    3⤵
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xzisy.bat

Filesize
137B

MD5
76e53d083346c60bb954e46f16f00f01

SHA1
d8c533b1aafc1658d6adb42e29ee8529141bac63

SHA256
3a0f372317d8f6bef70702a0e8f2361d5c05c208b5e320cfdbfbb032e7921b87

SHA512
5534f14acbb1dc2e8e3c7329e95a2a89179342e6c84badbcfaf927d524f60f332934ecbc135b3a7c2c9cb30cc6234e37b2cd605f591cc845424c0dcb07e19c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzisy.exe

Filesize
2.9MB

MD5
2deb016bc0f72497decbacddd6b2082d

SHA1
f25f685d741d40a64ee5ea0c37425036de7dea69

SHA256
fe5509b9b4df6b3b2bbeba6cde9847eb371f40403ed3184f3dd038b647e1eb60

SHA512
e054687ab0d88f7fd690818985399ff97b199862420659aa1aed5ba546f03b1f7ef70ddbf4cdb4af655dc674f56dc756cc09c3d22c92d6259f39c6466fa77a7c

Download Submit
memory/952-14-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/952-33-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/952-22-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/952-8-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/952-18-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/952-11-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/952-17-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2560-4-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2560-13-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2560-10-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2560-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2560-2-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2560-1-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads