33c8e9d960d664a8c7059012f28ae668f4c31fdd0d8e930f22098e7045015d8a

General

Target

68675b25fc8578ac2343eaeef553738f.exe
Size

2.7MB
MD5

68675b25fc8578ac2343eaeef553738f
SHA1

a84b27d78d47d10a66d9c542c7f878dee117c951
SHA256

33c8e9d960d664a8c7059012f28ae668f4c31fdd0d8e930f22098e7045015d8a
SHA512

91fa016790089fa49cde0df5730553cebf99587a0b46a50f9538284b0b06f97e2d0275e67444913d7467871c9101c6d7422fcb508eafa0010f2d3792296fb053
SSDEEP

49152:t+axysYC6syUkoPaPS2AJNyxUP+Mkt3ZlPl9Ggj2J3Y2peIu0XSkRDv0N:ytClVkoOSfJNAUW93ZlPP2Jo2wUXSaDv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	68675b25fc8578ac2343eaeef553738f.exe

Deletes itself 1 IoCs

pid	Process
2512	Updater.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	Updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	2512	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	Updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 2512	4208	68675b25fc8578ac2343eaeef553738f.exe	92
PID 4208 wrote to memory of 2512	4208	68675b25fc8578ac2343eaeef553738f.exe	92
PID 4208 wrote to memory of 2512	4208	68675b25fc8578ac2343eaeef553738f.exe	92

C:\Users\Admin\AppData\Local\Temp\68675b25fc8578ac2343eaeef553738f.exe
"C:\Users\Admin\AppData\Local\Temp\68675b25fc8578ac2343eaeef553738f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Roaming\Update\Updater.exe
  "C:\Users\Admin\AppData\Roaming\Update\Updater.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1984
    3⤵
    - Program crash
    PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2512 -ip 2512
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
334KB

MD5
c04ff3318d98809a1f84c18442ecc85c

SHA1
d2f833b4687faa7ea12f63c529f6fbab0dab7390

SHA256
8ad44752ff2a9fcbcae531f78d5b3420e1af7f71566cbf831259eb0cdcad574a

SHA512
e48087b0dda810bd7d77c44b3ada9d31bea7815e5121390c77605480767b893e67bcdbee3c7db363f449f2bad3c7d9d9b58aa93290e87d7e6f8ac36f07615ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
503KB

MD5
b30023c3cea5e9fec8f2ca5f3cd5aa6d

SHA1
ccbdf266f10e4b589b850d7aa77daf6b9fc44fb1

SHA256
107e504779a3e94440acd8b7ed1f0aa559ab57440c14b6fc34f71c9c7848b3a1

SHA512
78705284f1b9ddb6c598f48c78ab7ff8464821c66e32f2ff23abf14085dc44803111796cf2651034a1e2f35b0121a87faf49ac796c8eb0eaff880b4d5c9ce212

Download Submit
C:\Users\Admin\AppData\Roaming\Update\Updater.exe

Filesize
530KB

MD5
838cd174f9b7e032502b85d365b02652

SHA1
968612397b17e3a79d471a77308389baef5d43d6

SHA256
1a00b0efcc0ffba5a2f501ee7a40392fa87837219fbe2cb3caff376b84ee36a0

SHA512
5f2cf89d488c87c5334cb44b7f9526cfd6195c3fa721d917fe35b456a566c3f4a7bb46eb16a17f9089b55945c5d5b1e262749eed51b2bc7964ca28c8c8dc8f72

Download Submit
C:\Users\Admin\AppData\Roaming\Update\ver.txt

Filesize
6B

MD5
20d4ae0d4dc245fb9c50435f5aa5c8b0

SHA1
fe5ea185e09dd5edd998370add9c9ba9d1840919

SHA256
b043306e62b8d39723c6d1dc4ba65cafb892030ed8aa4d833742d5890c5b5f5a

SHA512
5437e42ea616b1f6fc409cd55a8619b2f6618d5fbfd5466743a63050851d827bc95687028fd3b275a510937d6c6af24726789fd0145683ab6722a2a0d11066ce

Download Submit
memory/2512-26-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/2512-25-0x00000000035E0000-0x00000000035EA000-memory.dmp

Filesize
40KB

Download
memory/2512-31-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2512-30-0x0000000007430000-0x0000000007452000-memory.dmp

Filesize
136KB

Download
memory/2512-17-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2512-21-0x00000000059C0000-0x0000000005A30000-memory.dmp

Filesize
448KB

Download
memory/2512-22-0x0000000005A30000-0x0000000005AD2000-memory.dmp

Filesize
648KB

Download
memory/2512-24-0x00000000035C0000-0x00000000035CA000-memory.dmp

Filesize
40KB

Download
memory/2512-23-0x0000000003590000-0x00000000035C0000-memory.dmp

Filesize
192KB

Download
memory/2512-29-0x0000000006700000-0x0000000006708000-memory.dmp

Filesize
32KB

Download
memory/2512-20-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/2512-28-0x0000000005B30000-0x0000000005BDA000-memory.dmp

Filesize
680KB

Download
memory/2512-27-0x0000000005B20000-0x0000000005B2A000-memory.dmp

Filesize
40KB

Download
memory/4208-1-0x0000000000D20000-0x0000000000FDC000-memory.dmp

Filesize
2.7MB

Download
memory/4208-15-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4208-0-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4208-2-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing