f9f783b6c35710d843852030469850448477ef6e21a9c4c95183592d3bc44613

General

Target

54853d49175fc0d00b1ba5ab4851b541.exe
Size

1.6MB
MD5

54853d49175fc0d00b1ba5ab4851b541
SHA1

cc5854620969a610462e24233f50567f80499812
SHA256

f9f783b6c35710d843852030469850448477ef6e21a9c4c95183592d3bc44613
SHA512

2ba55f458722da4ae79e9743a573426853533a1118b4ae23cdb05d7265e7a837df81074aa54680e47bdc62912907876496bb7ccf47ccd6a854df89f578dbe940
SSDEEP

49152:7uWjEn50aUTQK+zgebLd+1Mmf9t4q9mCWzhT:7usEnCRTwg8sMi4e3ahT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	54853d49175fc0d00b1ba5ab4851b541.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
3612	svchost.exe
60	NorthByteInternetOptimizer.exe
2480	svchost.exe
1656	NorthByteInternetOptimizer.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\processID.log	svchost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\MicrosoftSiihield\__tmp_rar_sfx_access_check_240638187	54853d49175fc0d00b1ba5ab4851b541.exe
File created	C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe	54853d49175fc0d00b1ba5ab4851b541.exe
File opened for modification	C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe	54853d49175fc0d00b1ba5ab4851b541.exe
File created	C:\Program Files (x86)\Common Files\MicrosoftSiihield\system.vbs	54853d49175fc0d00b1ba5ab4851b541.exe
File opened for modification	C:\Program Files (x86)\Common Files\MicrosoftSiihield\system.vbs	54853d49175fc0d00b1ba5ab4851b541.exe
File created	C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe	54853d49175fc0d00b1ba5ab4851b541.exe
File opened for modification	C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe	54853d49175fc0d00b1ba5ab4851b541.exe
File opened for modification	C:\Program Files (x86)\Common Files\MicrosoftSiihield	54853d49175fc0d00b1ba5ab4851b541.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	54853d49175fc0d00b1ba5ab4851b541.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4524	4884	54853d49175fc0d00b1ba5ab4851b541.exe	91
PID 4884 wrote to memory of 4524	4884	54853d49175fc0d00b1ba5ab4851b541.exe	91
PID 4884 wrote to memory of 4524	4884	54853d49175fc0d00b1ba5ab4851b541.exe	91
PID 4524 wrote to memory of 3612	4524	WScript.exe	92
PID 4524 wrote to memory of 3612	4524	WScript.exe	92
PID 4524 wrote to memory of 3612	4524	WScript.exe	92
PID 4524 wrote to memory of 60	4524	WScript.exe	93
PID 4524 wrote to memory of 60	4524	WScript.exe	93
PID 4524 wrote to memory of 60	4524	WScript.exe	93
PID 60 wrote to memory of 1656	60	NorthByteInternetOptimizer.exe	95
PID 60 wrote to memory of 1656	60	NorthByteInternetOptimizer.exe	95
PID 60 wrote to memory of 1656	60	NorthByteInternetOptimizer.exe	95

C:\Users\Admin\AppData\Local\Temp\54853d49175fc0d00b1ba5ab4851b541.exe
"C:\Users\Admin\AppData\Local\Temp\54853d49175fc0d00b1ba5ab4851b541.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Common Files\MicrosoftSiihield\system.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe
    "C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe
    "C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\is-BCO5O.tmp\NorthByteInternetOptimizer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BCO5O.tmp\NorthByteInternetOptimizer.tmp" /SL5="$1B0042,957716,72192,C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe"
      4⤵
      Executes dropped EXE
      PID:1656

C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe
"C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe

Filesize
993KB

MD5
5f87d03f75e98cfa60c75f1229308391

SHA1
fc7a4609b3cc1ca47704549fc4cbf38ad9dbdd04

SHA256
e3ac78db85253842d30d392bb8b0c6f5d5e057b634eef3396e9c0e48ec8db91f

SHA512
6f8dfd8b2c82792ffc87c59cde423eab5c83ae1551268c091ced35b943367ed58a27fbed26c53fc965bca96191a2298b13ee59a743388c582ae01c52714f36a8

Download Submit
C:\Program Files (x86)\Common Files\MicrosoftSiihield\NorthByteInternetOptimizer.exe

Filesize
1.2MB

MD5
915f4600dfd9daac985c116e2f41b1be

SHA1
bc111041ed1af24a1d019a3bf0f53e16620b6962

SHA256
48fc1d5cb69f8478506c913cb079f6d70434ef68d880b4b612868f533cd573df

SHA512
ff6e8013c2b720ee8221761c0da4d443aa3886c2a929ff4dc5665852e4cc5cfcb10ee2382de92b4c542232bbc64fe9b5b491245899f6b2edadb13f3ba551413e

Download Submit
C:\Program Files (x86)\Common Files\MicrosoftSiihield\svchost.exe

Filesize
89KB

MD5
99d55628e2f7b4a6d626351f4926e51b

SHA1
ec81fb3bbaebeda17b283497de9d62225d4abf87

SHA256
331eba2c44300ee866173a54fa65c93748db53bf48c52961cf17d05173230091

SHA512
991b77febf0ea9996c49ab2cbc380dbfb091df4e483c9f81c9f857e4274fefab25fdbc95cb668568b38a456dac961fe8bbe9b4d7f75a1438a9b93f1b8b5bded1

Download Submit
C:\Program Files (x86)\Common Files\MicrosoftSiihield\system.vbs

Filesize
160B

MD5
940bd51a531903e5866959b9f6b84d2e

SHA1
b779676b66bb7674053b894e5c906070e6ea113f

SHA256
6109caa6384d8d96871ad400f99a15eb3c2399bc9d32b4fa339bd705b699ecc0

SHA512
0faab8262977e520a7a71d41e455076ee1213951c25d159dfdbeb8e0f9ca31130bdeca7504d62e2b59e63dd281c46f2221d56f6414744f63039e5ac519bfaef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BCO5O.tmp\NorthByteInternetOptimizer.tmp

Filesize
698KB

MD5
0058b7028159e7a316ce47f4e2f44ff7

SHA1
bf70c595da16e5c69e163735608d518130e95e64

SHA256
62e80c2a81cf42dc2ed7c99ab7acb2c5b469c7f73672f8fbed403251bdb28780

SHA512
4897305deb8b187bacdf4a4ecc6b664dc0372abf8d2b83f730062b00bed39c70c7bf67dd75a5cf28a530eb8b0522952973857fc5ba254883dc936b1345f4bc3f

Download Submit
memory/60-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/60-27-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1656-21-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1656-28-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1656-31-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing