e28e78af24613f302910fa770133c4dbcad308490659d5108de19dd9ca9fb9c8

General

Target

45b9eb44a824165c25118ba1c01a25e3.exe
Size

404KB
MD5

45b9eb44a824165c25118ba1c01a25e3
SHA1

b8258aa6ffa0613025ba7b80748f703b01a35154
SHA256

e28e78af24613f302910fa770133c4dbcad308490659d5108de19dd9ca9fb9c8
SHA512

d5b8146b58daf3c991c642fd1761f62f0604399c69a05de08b42ca7dc919cef481debc9eb940dc35f4458d423c8392f1f66a0996abfb4c92e82cba8ae119f884
SSDEEP

6144:JlPMKBu5Jfi3hYUMlWm716bvokqcfBGyIzNtSA1yxKTLEAo5+P:EiRYNl/7167oKG5YxU1P

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	45b9eb44a824165c25118ba1c01a25e3.exe

Executes dropped EXE 3 IoCs

pid	Process
1672	Aimg2Pdf 1 10 (Keygen).exe
2928	7za.exe
3184	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
4540	45b9eb44a824165c25118ba1c01a25e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	Aimg2Pdf 1 10 (Keygen).exe
1672	Aimg2Pdf 1 10 (Keygen).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1672	4540	45b9eb44a824165c25118ba1c01a25e3.exe	91
PID 4540 wrote to memory of 1672	4540	45b9eb44a824165c25118ba1c01a25e3.exe	91
PID 4540 wrote to memory of 1672	4540	45b9eb44a824165c25118ba1c01a25e3.exe	91
PID 4540 wrote to memory of 2928	4540	45b9eb44a824165c25118ba1c01a25e3.exe	92
PID 4540 wrote to memory of 2928	4540	45b9eb44a824165c25118ba1c01a25e3.exe	92
PID 4540 wrote to memory of 2928	4540	45b9eb44a824165c25118ba1c01a25e3.exe	92
PID 4540 wrote to memory of 3184	4540	45b9eb44a824165c25118ba1c01a25e3.exe	94
PID 4540 wrote to memory of 3184	4540	45b9eb44a824165c25118ba1c01a25e3.exe	94

C:\Users\Admin\AppData\Local\Temp\45b9eb44a824165c25118ba1c01a25e3.exe
"C:\Users\Admin\AppData\Local\Temp\45b9eb44a824165c25118ba1c01a25e3.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\Aimg2Pdf 1 10 (Keygen).exe
  "C:\Users\Admin\AppData\Local\Temp\Aimg2Pdf 1 10 (Keygen).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
187KB

MD5
9cbf1616e43c64b950e889d4a7b07b6b

SHA1
8d9e894643fb4a0656362c9dad0c9b2390c520e2

SHA256
9864c8aa9c6823171692f314af5f11404ea5927db17a8546fd8a2383089cf2c1

SHA512
48a526e48243fc9add8db2e362f7d46fb610c9715814472dc5887afa15dbcbc703abc855204da7cd2101bf3054bb211e45cc5942b1cdb056ed0806fb9cfd1993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aimg2Pdf 1 10 (Keygen).exe

Filesize
162KB

MD5
13ee77a6116aa8fda2692d900d3f166a

SHA1
1275959dfaf71e777e01908f3df369cbed9db1a2

SHA256
41ccd1e8662e0f812f256f085ab4445f5faca5e7729eb7808a404527ec75051f

SHA512
7a54e16e0ddef643f8403b00539db52a928324d157ae47a914bb4e56a3afd008978ca7602487d6a1f162579717f30e863d04dc2406cb86c5e3bd3878cea14a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
376ed986935f156172d220183f2cf806

SHA1
550877ffeaaeedf52720f3277367a7d7724c1426

SHA256
bd319437ebdcad0590d793b88e1fe49dcd2d276cb6705ee42404adc0acd93f4b

SHA512
f28aa255f52b44e5fa3f95cabfa0d49440b378f44adfcfe549ed34f42b2673d0b3a33ff28ee7840cb497cd39b517ee6ac8a2d22e10dc34bf35564e9cdba7c210

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb3DA7.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/3184-30-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-39-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-31-0x000000001C360000-0x000000001C3FC000-memory.dmp

Filesize
624KB

Download
memory/3184-32-0x00007FFF49DA0000-0x00007FFF4A741000-memory.dmp

Filesize
9.6MB

Download
memory/3184-27-0x000000001B7C0000-0x000000001B866000-memory.dmp

Filesize
664KB

Download
memory/3184-34-0x000000001C4C0000-0x000000001C50C000-memory.dmp

Filesize
304KB

Download
memory/3184-35-0x000000001C570000-0x000000001C5D0000-memory.dmp

Filesize
384KB

Download
memory/3184-33-0x000000001B6E0000-0x000000001B6E8000-memory.dmp

Filesize
32KB

Download
memory/3184-29-0x00007FFF49DA0000-0x00007FFF4A741000-memory.dmp

Filesize
9.6MB

Download
memory/3184-28-0x000000001BD40000-0x000000001C20E000-memory.dmp

Filesize
4.8MB

Download
memory/3184-40-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-41-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-42-0x00007FFF49DA0000-0x00007FFF4A741000-memory.dmp

Filesize
9.6MB

Download
memory/3184-43-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-44-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-45-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/3184-46-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing