9adb99e8650bab9e07206f93d3ef23984395a12c9c6dd17dc34823c12aa034a5

General

Target

64fe4105b1f43044606aa234e9a1ab61.exe
Size

492KB
MD5

64fe4105b1f43044606aa234e9a1ab61
SHA1

3ae1e0a97b757d6617abec1c84f3666abd8fd186
SHA256

9adb99e8650bab9e07206f93d3ef23984395a12c9c6dd17dc34823c12aa034a5
SHA512

ce2d2afbe02959b19964829270554215e10ee2f497a79b6702ef5cf8c26c44f502993396e00685e48564caf17cbedcd5e3b361bb2b8a73d705d381129757c623
SSDEEP

6144:BME1nmg1tDbJ5621YNzigK30Y/xJS4AGgnVUdLrgg81gxaJZ6b1XHZZTHaOTfFDq:ugnJzRxJXA5Sngg84b13TV5ON

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4mv5.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	64fe4105b1f43044606aa234e9a1ab61.exe

Executes dropped EXE 3 IoCs

pid	Process
3496	4mv5.exe
3304	4mv5.tmp
1036	a1x.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Messenger\is-DBPL5.tmp	4mv5.tmp
File created	C:\Program Files (x86)\Messenger\is-TR60R.tmp	4mv5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	4mv5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3304	4mv5.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3496	3340	64fe4105b1f43044606aa234e9a1ab61.exe	50
PID 3340 wrote to memory of 3496	3340	64fe4105b1f43044606aa234e9a1ab61.exe	50
PID 3340 wrote to memory of 3496	3340	64fe4105b1f43044606aa234e9a1ab61.exe	50
PID 3496 wrote to memory of 3304	3496	4mv5.exe	48
PID 3496 wrote to memory of 3304	3496	4mv5.exe	48
PID 3496 wrote to memory of 3304	3496	4mv5.exe	48
PID 3304 wrote to memory of 728	3304	4mv5.tmp	98
PID 3304 wrote to memory of 728	3304	4mv5.tmp	98
PID 3304 wrote to memory of 728	3304	4mv5.tmp	98
PID 3340 wrote to memory of 1036	3340	Process not Found	99
PID 3340 wrote to memory of 1036	3340	Process not Found	99
PID 3340 wrote to memory of 1036	3340	Process not Found	99

C:\Users\Admin\AppData\Local\Temp\64fe4105b1f43044606aa234e9a1ab61.exe
"C:\Users\Admin\AppData\Local\Temp\64fe4105b1f43044606aa234e9a1ab61.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe"
  2⤵
  - Executes dropped EXE
  PID:1036

C:\Users\Admin\AppData\Local\Temp\is-2U7A0.tmp\4mv5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2U7A0.tmp\4mv5.tmp" /SL5="$601E2,61265,51712,C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Messenger\messenger.jse"
  2⤵
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Messenger\messenger.jse

Filesize
13KB

MD5
c90e8e4c3ef4aaddf0692028ac2b73e3

SHA1
72240eec4de9f1865a91ac64bc3503ba6bf14f1c

SHA256
b7ef4d14eab14f133e61f7582b4120a1b8b576dcddff46959255d857ba66efb0

SHA512
a5b6cd61d58f9a12e21dd2c5bfbf796df37f71df20c6be17fb5ba88885091ebedbbc49d8d76f0d7deb1f1f067735b4a118dc6d83c049ba0b93b8296c82839f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
266KB

MD5
bb3bcee377d89fc53cc5474ea9929c17

SHA1
e27e045f4b2b8212906caf12a218deeb5513a9a8

SHA256
b9da60bc637c0ea96f15b03cba59496bd174d3d3801cfa80b314ef6d80f7a5aa

SHA512
e9cca8c33416e4338ddd8a36dc2797861ea9c9b16d61b7393fe0c2cdc285c830786a1f59ca57728f4a46250bd50691819b553bff869f4ae885621f63976f5fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
250KB

MD5
4d3a89fde965eeac376bac7270554c17

SHA1
b9348863dc821392bf62af1c2b99af6e9a1d880a

SHA256
94351c139230ea44d8f3b36afdda290c6841e36894cbe4e11818ebbbff70a1df

SHA512
3dd70a8316fb3f93bb0f06e658326d4eac1900f875930c8a7638ae67c9116286492580deea9e6e4c427b882fc71b95a1b0668b6f8aea1be277a893d225b65c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4mv5.exe

Filesize
301KB

MD5
ddb949a15086b0250cadd3aad8bebe5e

SHA1
dc209b5e94d0701d528caeb9e692479bff6518b3

SHA256
04b96c2904b8b49ed7fdec9178036a201be6c183bd4c8b1d9eaac269f7d826d3

SHA512
4e838c9a9857011835dfe2b254242f3b1c7dbb803e4d81fac43b599b2b7b3a1715dab0d2569827d3d1baebdf0d0e1ebc1d922ab173d854e1e1122a65bb96b939

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\a1x.exe

Filesize
102KB

MD5
4c2db3eca26e374ee8975e1215665a59

SHA1
d1d3026787fbe3ad486034cd382b33a0724ce5c3

SHA256
27dc589c6aa4c6d4f8d32c823d9a9f0a458124caa88c994cf585a3e4985003b5

SHA512
7228a9181bf366ec929b580622b1cce90760cedc726a7ffcc87c29a65f4d8bfa8202640cf6cbb41b0a211d374867ac3634e866da5fa5a3ffa21ee4e459165199

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2U7A0.tmp\4mv5.tmp

Filesize
324KB

MD5
93aacaab80268bb452c83ce68181f96c

SHA1
a4c9f90edc8379f14ffc31f929f8fba3eda2dbd1

SHA256
fa7bc3752b090260d1ebb8f72d506148ba5543ebf6f39dfb53ba5a1da2e44737

SHA512
4ea509cc09f825ce06ebe263c420e484ae7cc3f637f46f8d8085af822dacba972d8c94881533d1613a8920cdbf66f518b990867a5cf5889aac68fb6e10f49899

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2U7A0.tmp\4mv5.tmp

Filesize
168KB

MD5
fa7ea343d9dbc5d07e8c7e0c1fa7f01f

SHA1
bea617a22f4aca8425a48c2e729fa333c18e52ae

SHA256
6cba569f79a9d2398f938d4b750da162e777a29945b72c92a47f07f68bc52f9d

SHA512
f4d4e09ec0f6d9a003e60f80e2a53293958deb9d120de4d29a045df56c66dcb531152d366607bdd83f8a19f506024ea19024e04656509e17e7a02e6be67a3e4c

Download Submit
memory/1036-56-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1036-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3304-40-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3304-30-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3340-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3340-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3496-41-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3496-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3496-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing