f1426cb27a13693ca2a6a85f89863dbf403ff538ba9e4c266971f667032c7c5f

General

Target

54728c7189ca4f9ff80e5f9153019c73.exe
Size

404KB
MD5

54728c7189ca4f9ff80e5f9153019c73
SHA1

429c97cb9ed8d624ca0116b6fff4b55cf8fd6009
SHA256

f1426cb27a13693ca2a6a85f89863dbf403ff538ba9e4c266971f667032c7c5f
SHA512

d3aaa63d23c81deec4deaba589ad5571d9f7d273e0fba35364d69f8b888ee78371cc970a8eb8c7e40c1b0c7aa1fa6d17b2b953e16ed724e269144e98bcff30e9
SSDEEP

6144:JlTLl/8YvVh4Kq4JQlMdVrmUgb8+0qDKMuyHsk:N0YH4KqNjnDnuIr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	54728c7189ca4f9ff80e5f9153019c73.exe

Executes dropped EXE 3 IoCs

pid	Process
2336	The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe
4156	7za.exe
716	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
4224	54728c7189ca4f9ff80e5f9153019c73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2336	The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe
2336	The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2336	4224	54728c7189ca4f9ff80e5f9153019c73.exe	91
PID 4224 wrote to memory of 2336	4224	54728c7189ca4f9ff80e5f9153019c73.exe	91
PID 4224 wrote to memory of 2336	4224	54728c7189ca4f9ff80e5f9153019c73.exe	91
PID 4224 wrote to memory of 4156	4224	54728c7189ca4f9ff80e5f9153019c73.exe	92
PID 4224 wrote to memory of 4156	4224	54728c7189ca4f9ff80e5f9153019c73.exe	92
PID 4224 wrote to memory of 4156	4224	54728c7189ca4f9ff80e5f9153019c73.exe	92
PID 4224 wrote to memory of 716	4224	54728c7189ca4f9ff80e5f9153019c73.exe	94
PID 4224 wrote to memory of 716	4224	54728c7189ca4f9ff80e5f9153019c73.exe	94

C:\Users\Admin\AppData\Local\Temp\54728c7189ca4f9ff80e5f9153019c73.exe
"C:\Users\Admin\AppData\Local\Temp\54728c7189ca4f9ff80e5f9153019c73.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe
  "C:\Users\Admin\AppData\Local\Temp\The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\The Boy In The Striped Pyjamas[2008]DvDrip-aXXo45427 [Online Working Keygen].exe

Filesize
162KB

MD5
451fb9c434da73bcaa37bfc6864fcc37

SHA1
b22e2e79383caef2fcb9b0841215ce735e7914fa

SHA256
99a6c296349bf9261a3f6a7266b41f85831f2379c985dd1fc4b33c0d8dc1ad5e

SHA512
263af9b2aa5fdb8946720e960e7682f85099df490179b39f874086d0956742be4fd695d044672db72c7c5b8a05d031f7d40a6738a02b597ad183613ab881c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
fe1a3c6046eaa4de86b2f37d5d5d9fec

SHA1
254d7411106436e9c583b21fb3aabd11665b4ad2

SHA256
760db114cd6711fd8c5df7f0ddc7e0b641c8c585dbe199b4a316e726ed390c11

SHA512
1ad719b52a294441c101e1d40babc8dd4ea0d39286d93d3047d024a1590f8e48ccff556bea5469eb1713294b04760ee656f627d4876a9cdf657eadf87a00b0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA5E7.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/716-32-0x000000001C3E0000-0x000000001C47C000-memory.dmp

Filesize
624KB

Download
memory/716-39-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-29-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-30-0x000000001BE30000-0x000000001C2FE000-memory.dmp

Filesize
4.8MB

Download
memory/716-31-0x00007FFFF8380000-0x00007FFFF8D21000-memory.dmp

Filesize
9.6MB

Download
memory/716-27-0x000000001B8B0000-0x000000001B956000-memory.dmp

Filesize
664KB

Download
memory/716-33-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/716-34-0x000000001C540000-0x000000001C58C000-memory.dmp

Filesize
304KB

Download
memory/716-35-0x000000001C5F0000-0x000000001C650000-memory.dmp

Filesize
384KB

Download
memory/716-28-0x00007FFFF8380000-0x00007FFFF8D21000-memory.dmp

Filesize
9.6MB

Download
memory/716-40-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-41-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-42-0x00007FFFF8380000-0x00007FFFF8D21000-memory.dmp

Filesize
9.6MB

Download
memory/716-43-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-44-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-45-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/716-46-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing