9692122f93b862ecea613a1e3932763125d14ee97ccf2b42557474fc0f1f8bc3

General

Target

7a922c0bf516574c776dfc4e24c2e70b.exe
Size

1.0MB
MD5

7a922c0bf516574c776dfc4e24c2e70b
SHA1

57a2d08202e32c7c977c6f8c2b85bfe36ce30d5c
SHA256

9692122f93b862ecea613a1e3932763125d14ee97ccf2b42557474fc0f1f8bc3
SHA512

08f634630b8d6d65ea3a64331e5be3ed1d8b54be23377286e12511d45b79cc40cbb4f41d936bd48667d7acc54ceda0ea570c51357e2e1928e173e59b48d59d63
SSDEEP

24576:FSLXxywTtpW3KS6/CeXNdxNl6M4r0EsjE3SygIL9ERgzjq9oQCpIJJJ:GgwT3XL/fXdNkM4rejvygeBzjj9wJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7a922c0bf516574c776dfc4e24c2e70b.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xmWMvOLQeJ.url	Disegnata.exe.com

Executes dropped EXE 3 IoCs

pid	Process
2220	Disegnata.exe.com
2176	Disegnata.exe.com
5024	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 5024	2176	Disegnata.exe.com	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2188	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2220	Disegnata.exe.com
2220	Disegnata.exe.com
2220	Disegnata.exe.com
2176	Disegnata.exe.com
2176	Disegnata.exe.com
2176	Disegnata.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2220	Disegnata.exe.com
2220	Disegnata.exe.com
2220	Disegnata.exe.com
2176	Disegnata.exe.com
2176	Disegnata.exe.com
2176	Disegnata.exe.com

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1500	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	90
PID 4808 wrote to memory of 1500	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	90
PID 4808 wrote to memory of 1500	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	90
PID 4808 wrote to memory of 5104	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	91
PID 4808 wrote to memory of 5104	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	91
PID 4808 wrote to memory of 5104	4808	7a922c0bf516574c776dfc4e24c2e70b.exe	91
PID 5104 wrote to memory of 3948	5104	cmd.exe	93
PID 5104 wrote to memory of 3948	5104	cmd.exe	93
PID 5104 wrote to memory of 3948	5104	cmd.exe	93
PID 3948 wrote to memory of 3144	3948	cmd.exe	94
PID 3948 wrote to memory of 3144	3948	cmd.exe	94
PID 3948 wrote to memory of 3144	3948	cmd.exe	94
PID 3948 wrote to memory of 2220	3948	cmd.exe	95
PID 3948 wrote to memory of 2220	3948	cmd.exe	95
PID 3948 wrote to memory of 2220	3948	cmd.exe	95
PID 3948 wrote to memory of 2188	3948	cmd.exe	96
PID 3948 wrote to memory of 2188	3948	cmd.exe	96
PID 3948 wrote to memory of 2188	3948	cmd.exe	96
PID 2220 wrote to memory of 2176	2220	Disegnata.exe.com	97
PID 2220 wrote to memory of 2176	2220	Disegnata.exe.com	97
PID 2220 wrote to memory of 2176	2220	Disegnata.exe.com	97
PID 2176 wrote to memory of 5024	2176	Disegnata.exe.com	106
PID 2176 wrote to memory of 5024	2176	Disegnata.exe.com	106
PID 2176 wrote to memory of 5024	2176	Disegnata.exe.com	106
PID 2176 wrote to memory of 5024	2176	Disegnata.exe.com	106
PID 2176 wrote to memory of 5024	2176	Disegnata.exe.com	106

C:\Users\Admin\AppData\Local\Temp\7a922c0bf516574c776dfc4e24c2e70b.exe
"C:\Users\Admin\AppData\Local\Temp\7a922c0bf516574c776dfc4e24c2e70b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Udi.csv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^NzJuXZttNruEDLgNZyDCWjQhljpveIbwCBJIaDqELCvYEXVpsHJBvIoBDvWKQIwyFteewGccyZQxPRIjdZtcYV$" Poi.csv
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnata.exe.com
      Disegnata.exe.com A
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnata.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnata.exe.com A
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:5024
  - - C:\Windows\SysWOW64\PING.EXE
      ping AVCIKYMG -n 30
      4⤵
      Runs ping.exe
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Appare.csv

Filesize
62KB

MD5
d3efa5c74273db8b4387b93d6422f725

SHA1
23f0516e98bd8ab2b50192e41e2430b94e93bc57

SHA256
77871c90193e16eaff1e28a6eb0ffa072891ca4c2ae06a9e84dcfad6ace2b7bf

SHA512
ad488ade3109d9b45eb0a5b9cd0ceea8f28f111fe43b6900634455113fdf53cdec49d0d10d39154949c3448dcef3ba76cd096b4511d5e0fadf844f66e7271cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnata.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensa.csv

Filesize
1.1MB

MD5
69e04162e0571d897e9bccf0e7c9f472

SHA1
80ab7cb78b367638d2ae2656a8cd98d47a1ea80e

SHA256
55296c998850b59b5b64523eef648c8b6517c20397b328cd75fc0955d2f4ba78

SHA512
39df7f919ecea0f973325225fa5f633d759b3bcfb77aeecccb75da6e3faecbd35a2a24dd0fb6926d56d6af088e5e4d4f1cdbefd8846b5d95ad2673fdb82e2c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Poi.csv

Filesize
872KB

MD5
138c53e5efafd97556971c5506a5e549

SHA1
9835d86f95b2a68ce0f09137e79775454a8b7c49

SHA256
a7410c06483129b1bad20cd8dc1f638276294488002805e2b0e226e4b2eb507e

SHA512
2009c463857cc1665940a7a85167e8356367dc0191fc157e3a0f235f0d81c16046ef1651674244535f00aa97c94c770db24f9c2b3b07918c3ce995058dc72839

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Udi.csv

Filesize
409B

MD5
0ee240b25b327ec534137a2c47b5d2de

SHA1
14d6a6010f243f385c31cd015503d686dedfb527

SHA256
de8552d8df835e065b0328552078bae29c845acb326332e2e4a74ba6261ee676

SHA512
38f36219dcbddd95cfc79fcb1b3d51c62667656924f3c869fbe856879dcaf22accda75d6e079d7d9a6da997893f78037164cd5bf0d5672ac644c99b936d9f1de

Download Submit
memory/2176-29-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/5024-30-0x0000000000D00000-0x0000000000D16000-memory.dmp

Filesize
88KB

Download
memory/5024-34-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/5024-35-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/5024-36-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/5024-37-0x0000000005AD0000-0x0000000005B62000-memory.dmp

Filesize
584KB

Download
memory/5024-38-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing