f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2

General

Target

f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe
Size

6.3MB
MD5

55a4e48f0b27008710e80d04e74d7eda
SHA1

3140f3dce43ab689d0b23bd775759bd71523018f
SHA256

f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2
SHA512

eaa7111efad16e29e9c40228ce4f504c2104b70fe420724fc3360e659603b9f84a214a2ad95013fd5c1e3e94d714f4697c8cca09271aa4bad3775b91047f3d94
SSDEEP

196608:QBLY8gsUxMSzrWqUkFxpOC1+hGAIaqS92k:Kad/WoHf4Gda/9t

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp

Executes dropped EXE 5 IoCs

pid	Process
1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
1736	install_tool.exe
4736	install_tool.exe
2936	install_tool.exe
2896	card_code_check.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	install_tool.exe
2936	install_tool.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1076	3732	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	86
PID 3732 wrote to memory of 1076	3732	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	86
PID 3732 wrote to memory of 1076	3732	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe	86
PID 1076 wrote to memory of 1736	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	89
PID 1076 wrote to memory of 1736	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	89
PID 1076 wrote to memory of 4736	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	92
PID 1076 wrote to memory of 4736	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	92
PID 4736 wrote to memory of 4284	4736	install_tool.exe	94
PID 4736 wrote to memory of 4284	4736	install_tool.exe	94
PID 4284 wrote to memory of 1524	4284	cmd.exe	95
PID 4284 wrote to memory of 1524	4284	cmd.exe	95
PID 1524 wrote to memory of 1948	1524	net.exe	96
PID 1524 wrote to memory of 1948	1524	net.exe	96
PID 1076 wrote to memory of 2936	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	97
PID 1076 wrote to memory of 2936	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	97
PID 1076 wrote to memory of 2896	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	99
PID 1076 wrote to memory of 2896	1076	f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp	99

C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe
"C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\is-UJ2N0.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UJ2N0.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp" /SL5="$5021C,5680488,797696,C:\Users\Admin\AppData\Local\Temp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe" 2 Steam\Steam.lnk C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\findpath.txt
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe" 4 steam_host
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop steam_host
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\system32\net.exe
        
        net stop steam_host
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop steam_host
        6⤵
        
        PID:1948
- - C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe" 3 WindowsUpdateBlocker.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2936
- - C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\card_code_check.exe
    "C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\card_code_check.exe" 0 0 0 3000 ZXCVNTAECERWYJGV
    3⤵
    - Executes dropped EXE
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\card_code_check.exe

Filesize
103KB

MD5
e599549b26145a23da8288b5dcb15723

SHA1
919858d333c51d4b3fc74c21457b0598793ed4db

SHA256
d2189ed466e0f6bd4c612694b7c56f19323f0a48c931ac5321335006c9dd5780

SHA512
dfb46c256c91443416a4436d04adbf89966ee7556345e85afbd41d69270dfa0cf6d7c6f79867e1847da977b68844060664293bf655b8c1d744f14067df802fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9767L.tmp\install_tool.exe

Filesize
138KB

MD5
009e852552e1d71fd3547afd2d34ceb0

SHA1
db252b1eac7e356972689c555ea51416be10b4ff

SHA256
7ab988c5636873d60ba082bbcbabcdd10a4399578f7328e16f4966a658f193ac

SHA512
aa509d6fd12a01a44e98aaa9fd77608b4c720bd9347104b4a19d0ee9e04da42da3b6994b84332f18798735dc0ccd48d5a350caf05fe5be4e5af0a06590059b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UJ2N0.tmp\f751ca4ed91ac0a42de399b63152e5f137be0284fc98c6962aed8a5431217dc2.tmp

Filesize
3.0MB

MD5
45dc976bf2b5db845f3a6c12f8aecd9d

SHA1
de467a57299197e07a07bf4c3921be3021bc0f35

SHA256
95901ea941b1e3ea67f371ccf39f9fbdf6268886babb63717a77a528f846d4b1

SHA512
03a233a14f434ce340b92347e8ebe6628dcb9ab495076f6879253fa1cb15bbf64aed3cab73457ad5238c7e22d87649dddbeeb748051fab4c09760d52b49fcf6b

Download Submit
memory/1076-6-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1076-27-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3732-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3732-29-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing