6b70d220ff49ce3efe1180bba3023c986c1cf2699a2bdd8950716ab39fabdabe

General

Target

$_3_.exe
Size

1.7MB
MD5

d4c16982f8a834bc0f8028b45c3ae543
SHA1

9d9cec9af8f23a23521e20d48d9af1024663a4a7
SHA256

932badf8ce27381bd595c9d861d7f7142fe98f233a893a2003a5f5e5ec163b3b
SHA512

c94b8d978afac107c08a5405cf9510e48d4bcf1284292eee1d08898f1c7a43a83a9655dc4d85d27d3b825e45a8f136c7beb71405fab94bb5e2437b7c4ad44b5c
SSDEEP

49152:n7mrmYPoEHVGTWFkO4ITVpSuEqM/vrM3rA3SuN5:km2Z12WFYFVf

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	$_3_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3340	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2972	$_3_.exe
2972	$_3_.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2972	$_3_.exe
2972	$_3_.exe
2972	$_3_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1472	2972	$_3_.exe	88
PID 2972 wrote to memory of 1472	2972	$_3_.exe	88
PID 2972 wrote to memory of 1472	2972	$_3_.exe	88
PID 1472 wrote to memory of 3340	1472	cmd.exe	90
PID 1472 wrote to memory of 3340	1472	cmd.exe	90
PID 1472 wrote to memory of 3340	1472	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\$_3_.exe
"C:\Users\Admin\AppData\Local\Temp\$_3_.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\14224.bat" "C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\$I8KZZ59

Filesize
98B

MD5
6b2742a906385fba09ea9f7dd2188cc0

SHA1
39297518c0167a0d7fb77fedf7a0ce1e59666ab2

SHA256
55b32fced47b9b475818166131c462a5665717e9cebeedeebe389d09afbe3c69

SHA512
89a261b8e74d7a4c7b0de0174e1b911be7ce1f57c578c6334b40cf4bc81d1b1e6dd342a0739eca40a688441569ce56b9d598757f6606a33e62037a2ae8a1c32b

Download Submit
C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\$IAY5P19

Filesize
98B

MD5
b671e9402fc4d2cd66a77a36b38c82f2

SHA1
92a2d19fef9c312e7088843aef5d12d619e5e789

SHA256
d2f08d330d922ae2149dfe7bdb6527d55489200ac7fc8c3b4544afa54d932269

SHA512
fe8dec324c09af5298a5c90cec2e20f240d49d6ad5d3f1ece00dcbaee406836e1761aaac4b0e688cf20d99099142b0bb81917c81aa8357f5a96ded2cc6dea646

Download Submit
C:\Users\Admin\AppData\Local\Temp\14224.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\8F37020CC44744779E61D76D937E3C13_LogFile.txt

Filesize
3KB

MD5
2f5f1804aa0b09057fc8f4e42491e53a

SHA1
aa646079111f790b4febe7b33f12b11b672242ac

SHA256
a93806ffea53898426b78c436285dc3ee7fad645065aeb0d31e85564e44936b2

SHA512
ef286354d0333207e11c8dd2a7c9df39bc4d8455f897a8778a97330950cf4eacbcd3ce63544a326eed06727be8cf5835c731477d16def4de46eda990f29d92e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\8F37020CC44744779E61D76D937E3C13_LogFile.txt

Filesize
3KB

MD5
e3bd6cc2db1d3f5290c32000e87947c4

SHA1
5e913b20f3c7eb8e672f7f6e692f34d40dab0788

SHA256
357c3b243a33e193775d5d7b4d1e192af155edf447099356489da752f508b692

SHA512
9977fea478eb1e716fd3af53fadba0234afecd494aade863e4a4e0b8183b26988ef1985659e4bcc45a7d9e55e11f18083d039f5f21f4407272f412936ca07b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\8F37020CC44744779E61D76D937E3C13_LogFile.txt

Filesize
2KB

MD5
7119c7d005288c8ded3bd989c04e4e72

SHA1
c4031d1c23679299cae6b473df47af43c2ddfe15

SHA256
2c47cdfa2c09967d8d23313cdca836de763a58a7aa223797acb11114793feefb

SHA512
d991c6b0280e219a1bff6281b65336a114cdc6f65a3be6b000fa09dbaa9c6cc33861aabbaeb792a2141bf333d5f29e4be5b3c2e2d0ed84e36c926ab4fc580227

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\8F37020CC44744779E61D76D937E3C13_LogFile.txt

Filesize
5KB

MD5
7b6adb3c1f90736e75628499de0cff10

SHA1
6451ebac50df54945680d7ee12e788753a4e3208

SHA256
ca24951b824eac15ff274cced878227ba5ae7cb404a27f3663383e8534b55f6d

SHA512
e627e13737d1c6fea7815e0ca22eec22ca6160a162cfbcf4eeb8c1fff804e21b4ea4a765afbfc8e80908365624d644bf090290abb760cac53a9bd86337467ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F37020CC44744779E61D76D937E3C13\8F3702~1.TXT

Filesize
26KB

MD5
25f134ed7eb33a3c7ef42d0a7a193380

SHA1
8f15d8707144e783d3b30af5f99d0c0bf99a7f0a

SHA256
d856ecae487faa1969b247a43ae5b211e797dfc3ace02f58009ce3dbb075e802

SHA512
3d63093579f551b4fc1b1d2557d5adb4607929d66e2af3df7d12ad74f666952ae3a4803133e8057251bce1491e2a73080f149b7eebc804d41194d68c80669bfc

Download Submit
memory/2972-65-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing