e8066f9441892d81ddf295c599597be655c9ecd1d13c90c28364c6e0d48785cd

General

Target

9b197649ab3143aee2fd5919790929e9.exe
Size

63KB
MD5

9b197649ab3143aee2fd5919790929e9
SHA1

bc130a152f84c88126cae6e7a8d9a5b9b4e76fb8
SHA256

e8066f9441892d81ddf295c599597be655c9ecd1d13c90c28364c6e0d48785cd
SHA512

f749d3b86c5ae828d02b8c800edc34ffefc4ba89d12349e68067a9a681aac9ccbada3cdb002b63dcecf28369135df8bea16adb4552cd93e8e760a83e56d525b8
SSDEEP

1536:V3cpyORJLuB4P4AJJv4Romu/4awlmhpUljM7:V3c1fP4AJJv45n7jM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	9b197649ab3143aee2fd5919790929e9.exe

Loads dropped DLL 13 IoCs

pid	Process
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe
1540	9b197649ab3143aee2fd5919790929e9.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\Internat Explorar\Desktop.ini	9b197649ab3143aee2fd5919790929e9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tbgw.ico	9b197649ab3143aee2fd5919790929e9.exe
File opened for modification	C:\Windows\tbgw.ico	9b197649ab3143aee2fd5919790929e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1660	1540	9b197649ab3143aee2fd5919790929e9.exe	83
PID 1540 wrote to memory of 1660	1540	9b197649ab3143aee2fd5919790929e9.exe	83
PID 1540 wrote to memory of 1660	1540	9b197649ab3143aee2fd5919790929e9.exe	83
PID 1540 wrote to memory of 5048	1540	9b197649ab3143aee2fd5919790929e9.exe	86
PID 1540 wrote to memory of 5048	1540	9b197649ab3143aee2fd5919790929e9.exe	86
PID 1540 wrote to memory of 5048	1540	9b197649ab3143aee2fd5919790929e9.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9b197649ab3143aee2fd5919790929e9.exe
"C:\Users\Admin\AppData\Local\Temp\9b197649ab3143aee2fd5919790929e9.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\Internat Explorar" +s
  2⤵
  - Views/modifies file attributes
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat" "
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso4316.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4316.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_tmp.bat

Filesize
186B

MD5
201abfdc3aee3a5ee3aa56b1244b43fc

SHA1
93be220ecd25b5c9f4df2ac717651166e5712542

SHA256
b42ba85ac5fc32888197efca4553031fd79c39dcc26d8a8e7192924c176c9045

SHA512
46368cab07dbd1062edef235c341244135b67af8952cb7bf63f4671e032cd98e8ce962a1cec032feb6d7c99566d18bc688620a4c0f81662bca2bbe93f841695d

Download Submit
C:\Users\Public\Desktop\Internat Explorar\Desktop.ini

Filesize
75B

MD5
254a842845d5fe636a018ed64927573f

SHA1
405c601e91dbd53febdca03e5ccc1fd1b03107be

SHA256
bc4eaf790a990a2dbb8460775c257f603d2303a7ab282dd5f405264af202282c

SHA512
e817292fe07e880cd21e1cba72d4fec097fab51f21012a891bad6be6d43da8573a2ecc881a9c9c6a01dc421b55eb4734a79803899e51234ff4bd4c2a4a8a8acf

Download Submit
C:\Users\Public\Desktop\Internat Explorar\target.lnk

Filesize
1KB

MD5
e6ee6273a29ed6d693e40a491c02c1da

SHA1
de631fba6ff5fc4c57e037547684ae0d4cf67ac4

SHA256
c9d0d6025c2cd3d28d20d014c8bb8f58ec9f39bc76f064d59f5f74d6ac0cbb41

SHA512
1be0eb5d62f1c6c60584e1fbac939965a2282ac6120f3fb5da7067750d3b3880a1a540357fe21098352f16748f4a9c122112b6f58800e23e3f69fd10e13a8d97

Download Submit
C:\Users\Public\Desktop\ÌÔ ±¦ Íø ¹º.lnk

Filesize
1010B

MD5
0241624317d179d69afaf8bdd85e6603

SHA1
293e70e2d3ef82aeaafb1edf0f4811290c8e10e6

SHA256
3808e5ceae259f656b45361840daecff6c0e753a2e03cc490d7ce550ffb8b56f

SHA512
806b249b8dc3d6865b96b5a63f1e0b74e2b783a2d58151ceadf5d3b53f66da666300bbde1c8c48a6b26d8c0e98ed60f4b50429b9770b251a34e91082dc2e0aab

Download Submit

Analysis

Sharing