735c4fc3e20904b714e8dac759688b85c2977c9f91f34cb59b02508f10c0f6b1

General

Target

7ef132e7f263c6bb51d0db08fb884566.exe
Size

3.4MB
MD5

7ef132e7f263c6bb51d0db08fb884566
SHA1

17646560355825c3c68db13200cd90b9be7fae27
SHA256

735c4fc3e20904b714e8dac759688b85c2977c9f91f34cb59b02508f10c0f6b1
SHA512

ede839d60e12ac4777c297185b2013b688e0092ae1cb5eed08ee6e500b490a9600cbdccbb6e167584dec5c234f3a54d6f96b23f7a5cdfd2093d2bf78b24a33b3
SSDEEP

98304:YRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/i5:Ykj8NBFwxpNOuk2L

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7ef132e7f263c6bb51d0db08fb884566.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	7mGP7S7O6D3f.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
764	sc.exe
1688	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1468	7ef132e7f263c6bb51d0db08fb884566.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	7ef132e7f263c6bb51d0db08fb884566.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3020	1468	7ef132e7f263c6bb51d0db08fb884566.exe	79
PID 1468 wrote to memory of 3020	1468	7ef132e7f263c6bb51d0db08fb884566.exe	79

C:\Users\Admin\AppData\Local\Temp\7ef132e7f263c6bb51d0db08fb884566.exe
"C:\Users\Admin\AppData\Local\Temp\7ef132e7f263c6bb51d0db08fb884566.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\7mGP7S7O6D3f.exe
  "C:\Users\Admin\AppData\Local\Temp\7mGP7S7O6D3f.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDdlZjEzMmU3ZjI2M2M2YmI1MWQwZGIwOGZiODg0NTY2LmV4ZQ==
  2⤵
  - Executes dropped EXE
  PID:3020
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
    3⤵
    PID:2228
  - - C:\Windows\system32\sc.exe
      sc config "SysMain" start=disabled
      4⤵
      Launches sc.exe
      PID:764
  - - C:\Windows\system32\sc.exe
      sc stop "SysMain"
      4⤵
      Launches sc.exe
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7mGP7S7O6D3f.exe

Filesize
77KB

MD5
2e8bcfb848f7c468fb1a824e3f94c823

SHA1
b21e61e6ce638c388bf795137017edc287839ae8

SHA256
8dc4ed616abfb5b53850d369f34bcc86bfe5ac0ff8bbba0f6dd5afb0f7bbe3f4

SHA512
4357dbba1fb00c1babce33f89b183890a42dcb4916470efcb6a4c3e39af15f67a0caeacd8bd2a201273421a05e96ba27597bd5323e470abc59f0c2cb08974e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mGP7S7O6D3f.exe

Filesize
5KB

MD5
f8ccc84f31ae6e1cb7df8456713315f5

SHA1
c1ffcaa229daa37ab89afa89185c5d024d1ac3d6

SHA256
2c262856f548d2fbfa3f6116d2c3f516e2e53bb3510c5cb0b909c1f65a6ceb47

SHA512
a7dc59566e3e7aa3f15726eb602a5d006ca89264b374d30c61a12546eae9e5452c4c88feb600e59b032f5c754f7b5bb8ec813b33993e28c4f936fef63fd1951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mGP7S7O6D3f.exe

Filesize
42KB

MD5
bfb2bbbf8cb4ba4f7e523867daca8965

SHA1
51641ec4887207ffcc9f28e808559d4d930424ef

SHA256
b365fd0488921836f3251e722d9e116b564dd3ac3d194b57c810b089eef5c93f

SHA512
6cec0afb460876225e7d29b28218c388592950257fd8443499588eb6358cd59dc767c8755763bfdd87148f275cc680bbe8e6a0de61f58e17e84f730d4bb50e00

Download Submit
memory/1468-7-0x000002242B300000-0x000002242B306000-memory.dmp

Filesize
24KB

Download
memory/1468-11-0x00000224475F0000-0x00000224476AA000-memory.dmp

Filesize
744KB

Download
memory/1468-5-0x00000224470F0000-0x0000022447528000-memory.dmp

Filesize
4.2MB

Download
memory/1468-6-0x000002242B2C0000-0x000002242B2C4000-memory.dmp

Filesize
16KB

Download
memory/1468-0-0x000002242ABC0000-0x000002242AEE4000-memory.dmp

Filesize
3.1MB

Download
memory/1468-8-0x00000224455F0000-0x000002244568C000-memory.dmp

Filesize
624KB

Download
memory/1468-9-0x000002242CC40000-0x000002242CC46000-memory.dmp

Filesize
24KB

Download
memory/1468-1-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

Filesize
10.8MB

Download
memory/1468-10-0x000002242CC70000-0x000002242CC78000-memory.dmp

Filesize
32KB

Download
memory/1468-12-0x00000224454B0000-0x00000224454E2000-memory.dmp

Filesize
200KB

Download
memory/1468-13-0x00000224454E0000-0x00000224454E4000-memory.dmp

Filesize
16KB

Download
memory/1468-4-0x000002242B290000-0x000002242B2C0000-memory.dmp

Filesize
192KB

Download
memory/1468-3-0x00000224456E0000-0x00000224456F0000-memory.dmp

Filesize
64KB

Download
memory/1468-2-0x00000224456F0000-0x00000224459E0000-memory.dmp

Filesize
2.9MB

Download
memory/1468-30-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

Filesize
10.8MB

Download
memory/3020-27-0x0000023BB26F0000-0x0000023BB2A14000-memory.dmp

Filesize
3.1MB

Download
memory/3020-28-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

Filesize
10.8MB

Download
memory/3020-31-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3020-32-0x0000023BCF140000-0x0000023BCF1B2000-memory.dmp

Filesize
456KB

Download
memory/3020-33-0x0000023BCF050000-0x0000023BCF056000-memory.dmp

Filesize
24KB

Download
memory/3020-34-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3020-36-0x0000023BD1C00000-0x0000023BD1C0E000-memory.dmp

Filesize
56KB

Download
memory/3020-35-0x0000023BD2AA0000-0x0000023BD2AD8000-memory.dmp

Filesize
224KB

Download
memory/3020-37-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3020-38-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

Filesize
10.8MB

Download
memory/3020-39-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3020-40-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download
memory/3020-41-0x0000023BCD0D0000-0x0000023BCD0E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing