fed3a42c853446a04f1a3d3cfc4755b1bd83ba6f21815cea734f74e43c4b948a

General

Target

473fed5f812be8a150ac26835833c182.exe
Size

762KB
MD5

473fed5f812be8a150ac26835833c182
SHA1

d03245f845bc8ec3d8321c0ef1660f4e24d3ae5c
SHA256

fed3a42c853446a04f1a3d3cfc4755b1bd83ba6f21815cea734f74e43c4b948a
SHA512

168e9430043dc021b168736cb27f185609c1614a0f148869288f803f1cb9ef5dee6ce0c255523edbf83128afb5c82e5baa3499813ccbdee3e15dd3e243f4b28c
SSDEEP

12288:ftobirltpeTtNXmLFhppAEDlPRCdc5XY/ouP9Tk284UhzSX65rdAmawrm29fPTnN:ftDltItNW7pjDlpt5XY/2TkXKza/29R

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	internal473fed5f812be8a150ac26835833c182.exe

Executes dropped EXE 1 IoCs

pid	Process
4588	internal473fed5f812be8a150ac26835833c182.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4812	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4588	internal473fed5f812be8a150ac26835833c182.exe
4588	internal473fed5f812be8a150ac26835833c182.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4588	internal473fed5f812be8a150ac26835833c182.exe
4588	internal473fed5f812be8a150ac26835833c182.exe
4588	internal473fed5f812be8a150ac26835833c182.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4588	3680	473fed5f812be8a150ac26835833c182.exe	89
PID 3680 wrote to memory of 4588	3680	473fed5f812be8a150ac26835833c182.exe	89
PID 3680 wrote to memory of 4588	3680	473fed5f812be8a150ac26835833c182.exe	89
PID 4588 wrote to memory of 4528	4588	internal473fed5f812be8a150ac26835833c182.exe	101
PID 4588 wrote to memory of 4528	4588	internal473fed5f812be8a150ac26835833c182.exe	101
PID 4588 wrote to memory of 4528	4588	internal473fed5f812be8a150ac26835833c182.exe	101
PID 4528 wrote to memory of 4812	4528	cmd.exe	103
PID 4528 wrote to memory of 4812	4528	cmd.exe	103
PID 4528 wrote to memory of 4812	4528	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\473fed5f812be8a150ac26835833c182.exe
"C:\Users\Admin\AppData\Local\Temp\473fed5f812be8a150ac26835833c182.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\nsw3EC0.tmp\internal473fed5f812be8a150ac26835833c182.exe
  C:\Users\Admin\AppData\Local\Temp\nsw3EC0.tmp\internal473fed5f812be8a150ac26835833c182.exe C:/Users/Admin/AppData/Local/Temp/nsw3EC0.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/473fed5f812be8a150ac26835833c182.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nsw3EC0.tmp/fallbackfiles/'
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30235.bat" "C:\Users\Admin\AppData\Local\Temp\D3AD13E2D5AC48DB93CDADC7FB9226FE\""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\$IHE4QO2

Filesize
98B

MD5
ac138f87c89e17eac1885546a85edea7

SHA1
74fe88088e8217c52bf3fd15c52088b95a04a135

SHA256
16cd961df77154a8ba59a7c0b1eb7d93d5e830b589e79763b2d82b762a0ae30e

SHA512
847f11697d4aa67b15f5958c442b11626dcbd5cdf1668af6d7f39fdd475129bab7831800aa7ab7f6b4d02583d3ba6816f4d3c50a0bcb87cebdc0d7f07ebd8bef

Download Submit
C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\$IT48MGM

Filesize
98B

MD5
df42b4b0a371be9275f0c73776cdc381

SHA1
8d0da9b07cd08c3d2be3fe99c33cc23d3eee5513

SHA256
b4d7682e8cbb4256eea8f7f922e6520c19956ac99db2b401051c161d59302fa0

SHA512
2755ed387c55d4fc692e6f8e9e89a62df24beb242d2c3c6a95cb5e502c30969ed7f2e346eb874895920ecab5ae9a6242a3c373deab84d0305c924679eed5808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\30235.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3AD13E2D5AC48DB93CDADC7FB9226FE\D3AD13E2D5AC48DB93CDADC7FB9226FE_LogFile.txt

Filesize
5KB

MD5
00eb3cfb17d8869fa1a422467aff930e

SHA1
ea9128e1f9a341b20e9f562fc8486799c4956204

SHA256
1aec93140b62ea9059e9c69e62c0ac5e14014ba35210f7f3020c45cccb888c13

SHA512
683b9a433c26b4570dc40ab0ab379598911d79fb746a3ca6ff14eaa1371a3f785832b1248dff546a2b0e30a43d4727f5e88a1110114ab488e2d8e457cda5b740

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3AD13E2D5AC48DB93CDADC7FB9226FE\D3AD13~1.TXT

Filesize
27KB

MD5
98d6c7c23e7ec4990310c7572e251997

SHA1
94bd683b8eae9e2cb8ee29d456ecba5b511486e1

SHA256
e10e365d74420f7f4827dc787f3e212aa5ca11ec33d124747f942fab36f2c772

SHA512
3c4eac0872420e93063af169cae6c2586f0f2addaf6fe13ef452020d66646282ed273cbcee78d0e0dc41a1b638e50c7925e252d3b531625f0c86c6092381832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw3EC0.tmp\internal473fed5f812be8a150ac26835833c182.exe

Filesize
93KB

MD5
87826b3c11ccf7e2db33bf627d4bc72a

SHA1
a977c2f6b91be3fc640208d0a111a26c355ac800

SHA256
4c8440d49f106df904b9bd3b63dc3271a83e27dad41077894977015af59d5434

SHA512
8b4ac167d2eb1ed15300a51e51c4eb1620ffa77087c560cd79ba5d6ba1c443efad6c69834885984376d7a95d99350ae8b9445b172dcf4228ecfe4b3faa90203b

Download Submit
memory/3680-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3680-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-73-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing