b10688da02633306a0e6e8dba5f3c2ba6c21c2dbb40d6b1bd40d730cac0d029c

General

Target

4b01be0bc4cd13fad8a3eea2f9976578.exe
Size

240KB
MD5

4b01be0bc4cd13fad8a3eea2f9976578
SHA1

b3fb77974b6e2956cc78e782d1445f6866a09301
SHA256

b10688da02633306a0e6e8dba5f3c2ba6c21c2dbb40d6b1bd40d730cac0d029c
SHA512

f12b6dff0e23d1edf9ec827a490e03d9f1134a94ecb4ff2bbbc31b5771ee53c3281e54a4484f8b5bdbaf390bbd40a41f520c0915494d74fdf11b00e65454a635
SSDEEP

6144:BxYUmbnMCa6BEN6dZxD/G+gETRANecKC3qQUpBeOaVR/M:BxYUmVa6BENwfngE1flC3EDyk

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	4b01be0bc4cd13fad8a3eea2f9976578.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-19-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4200-24-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4200-25-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4200-28-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2576	1204	WerFault.exe	14
792	1860	WerFault.exe	56

Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1560	1204	4b01be0bc4cd13fad8a3eea2f9976578.exe	29
PID 1204 wrote to memory of 1560	1204	4b01be0bc4cd13fad8a3eea2f9976578.exe	29
PID 1204 wrote to memory of 1560	1204	4b01be0bc4cd13fad8a3eea2f9976578.exe	29
PID 1560 wrote to memory of 4740	1560	net.exe	25
PID 1560 wrote to memory of 4740	1560	net.exe	25
PID 1560 wrote to memory of 4740	1560	net.exe	25

C:\Users\Admin\AppData\Local\Temp\4b01be0bc4cd13fad8a3eea2f9976578.exe
"C:\Users\Admin\AppData\Local\Temp\4b01be0bc4cd13fad8a3eea2f9976578.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1204
- C:\windows\SysWOW64\net.exe
  "C:\windows\system32\net.exe" stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 1116
  2⤵
  - Program crash
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\liar2.exe
  "C:\Users\Admin\AppData\Local\Temp\liar2.exe"
  2⤵
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\newexe11_298.exe
  "C:\Users\Admin\AppData\Local\Temp\newexe11_298.exe"
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 312
    3⤵
    - Program crash
    PID:792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1204 -ip 1204
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\liar2.exe
C:\Users\Admin\AppData\Local\Temp\liar2.exe
1⤵
PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\Temp\liar2.exe" C:\Windows\system32\
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /Q /F C:\Windows\temp\liar2.exe
  2⤵
  PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mssysif /f
  2⤵
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v mssysif /d "C:\Windows\system32\liar2.exe"
  2⤵
  PID:1892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Windows\Tasks\2846695716-0020"
  2⤵
  PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c type "C:\Windows\Tasks\2846695716-0020"
  2⤵
  PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1860 -ip 1860
1⤵
PID:668

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mssysif /f
1⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /t REG_SZ /v mssysif /d "C:\Windows\system32\liar2.exe"
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\liar2.exe

Filesize
5KB

MD5
0080b4a6b5b0dd5c2af6177761d8b55d

SHA1
c15fc64b1b357ddd401980f75b52b135b5a8e3e8

SHA256
2852b90763633987598bb66f79faa7f441939e4f58ded8703179d35cd67f06ce

SHA512
e5e4d07f77d546b57e35f9585836a00b60efe5c1b1cd8488a776244eb4cfd7c5f6a745da637c5c26296cda98b17d3adac7a043cb5bfe1c9096779711b18d481e

Download Submit
C:\Users\Admin\AppData\Local\Temp\liar2.exe

Filesize
68KB

MD5
a472c018403185480a1efde5774eaa4f

SHA1
5a185f21d89eee47f0bad10f860b3666078fafa3

SHA256
51405b6769d11f544b6bb27718e3f5e2074b7045a94d1666a95817a559acbc92

SHA512
423555fcce351ad7a1ecc2079e98f55b42a6294a0951a6359fc75b6dc2846436448db51b13e40986d6f2dc09ddc33a058d810215c0242588ed2ac3a850776906

Download Submit
C:\Users\Admin\AppData\Local\Temp\newexe11_298.exe

Filesize
76KB

MD5
d5e6db3d16e9af9feb9d090bb8020e23

SHA1
1bd95934467f6bfb3bddf0ebf956a0fbba13876c

SHA256
98b26b8baeab93ab260e9359e931c2f4550226031be9ffd6034989bf7e3f41ff

SHA512
fb1baf6c9740743f01db8054e7e2c9768f13e76ac6677ff19b4283a2103d9e7ebd3d14b762478b43d113d211c3a6de6ecdf6dbdf603a44334e6a4fe1882d190e

Download Submit
C:\Users\Admin\AppData\Local\Temp\newexe11_298.exe

Filesize
114KB

MD5
43647dceb97ddbe89e2bf862e2aaaf40

SHA1
4e9576418a5b47f04742bc3c7c997d6dfe2b3d65

SHA256
d1c69d2125dddaed1377bcc0cffe5a5e705a5ee4806695e9fed9e9fe07a8756e

SHA512
76a8c8c4d6e0efb9aa57b20f1a5a3cc042cafe56d24418dfe1b300f7bf0645f00a827448338b246714e4a29c794f9d491a063580467215cdeb19f2ca14d28298

Download Submit
C:\Users\Admin\AppData\Local\Temp\newexe11_298.exe

Filesize
165KB

MD5
524469331a5d5f006bd9b871cf0cd939

SHA1
4048dff5f90c9118e788d06f83766cc775cfc607

SHA256
f450361ee78b43108221858680c9af86821abfef49b2d2f8dd9fcc7baaaaed3a

SHA512
3f0adacc09d1cdfcdfed81a145b2edc83098ca4d23436a60b5d71cd363eb11d89ea585dde937c19dbceff71e15588eddd4c282c1861ec05ed38b7fa06fc87332

Download Submit
memory/1860-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1860-21-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1860-9-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1860-27-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3980-23-0x0000000013140000-0x0000000013158000-memory.dmp

Filesize
96KB

Download
memory/4200-25-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4200-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4200-19-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4200-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing