dc699254dca76a75ec16e9f8cf629a86d1782c80565002e2b80653dfa040dded

General

Target

8f70695d8a9bc9672ac4c35970ba1279.exe
Size

226KB
MD5

8f70695d8a9bc9672ac4c35970ba1279
SHA1

7e6e1320e6869618cba2881e0c5972ff9632fcea
SHA256

dc699254dca76a75ec16e9f8cf629a86d1782c80565002e2b80653dfa040dded
SHA512

daa2eeff122bde98f81a85d2b5a7e7f4f64f78160b3b791911dad99dac2a4f54826efb447e64afb3c9bd5ae35cfa3af2852e4e0ef9dd4ef2fb14530e16c43596
SSDEEP

6144:bQuDZggR11UV8SVTi9qjJC+4/hV2u3bzjed4au7kF7vqdw8:lKq11mTeqjJG/qZF7vq28

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	8f70695d8a9bc9672ac4c35970ba1279.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	uvtzepfzqr.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	uvtzepfzqr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4720	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
784	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1608	uvtzepfzqr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1608	uvtzepfzqr.exe
1608	uvtzepfzqr.exe
1608	uvtzepfzqr.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1608	uvtzepfzqr.exe
1608	uvtzepfzqr.exe
1608	uvtzepfzqr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2992	4776	8f70695d8a9bc9672ac4c35970ba1279.exe	87
PID 4776 wrote to memory of 2992	4776	8f70695d8a9bc9672ac4c35970ba1279.exe	87
PID 4776 wrote to memory of 2992	4776	8f70695d8a9bc9672ac4c35970ba1279.exe	87
PID 2992 wrote to memory of 4720	2992	cmd.exe	85
PID 2992 wrote to memory of 4720	2992	cmd.exe	85
PID 2992 wrote to memory of 4720	2992	cmd.exe	85
PID 2992 wrote to memory of 784	2992	cmd.exe	89
PID 2992 wrote to memory of 784	2992	cmd.exe	89
PID 2992 wrote to memory of 784	2992	cmd.exe	89
PID 2992 wrote to memory of 1608	2992	cmd.exe	90
PID 2992 wrote to memory of 1608	2992	cmd.exe	90
PID 2992 wrote to memory of 1608	2992	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\8f70695d8a9bc9672ac4c35970ba1279.exe
"C:\Users\Admin\AppData\Local\Temp\8f70695d8a9bc9672ac4c35970ba1279.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 4776 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8f70695d8a9bc9672ac4c35970ba1279.exe" & start C:\Users\Admin\AppData\Local\UVTZEP~1.EXE -f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:784
- - C:\Users\Admin\AppData\Local\uvtzepfzqr.exe
    C:\Users\Admin\AppData\Local\UVTZEP~1.EXE -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1608

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 4776
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\uvtzepfzqr.exe

Filesize
226KB

MD5
8f70695d8a9bc9672ac4c35970ba1279

SHA1
7e6e1320e6869618cba2881e0c5972ff9632fcea

SHA256
dc699254dca76a75ec16e9f8cf629a86d1782c80565002e2b80653dfa040dded

SHA512
daa2eeff122bde98f81a85d2b5a7e7f4f64f78160b3b791911dad99dac2a4f54826efb447e64afb3c9bd5ae35cfa3af2852e4e0ef9dd4ef2fb14530e16c43596

Download Submit
memory/1608-16-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-10-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1608-18-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-33-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-19-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1608-11-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/1608-14-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-20-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-31-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-29-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-27-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-22-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/1608-24-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/4776-1-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/4776-3-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/4776-5-0x0000000001000000-0x00000000010C8000-memory.dmp

Filesize
800KB

Download
memory/4776-2-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing